Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.Gen, W32.IRCbot and Hacktook.Rootkit


  • This topic is locked This topic is locked
16 replies to this topic

#1 GumbyŠ

GumbyŠ

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 16 May 2009 - 05:07 PM

Recently I was infected with the above virus's (two instances if W32.IRCbot). The following is the DDS.txt and the Attach.txt is attached as a zip as outlined in the forum guidelines. I would appreciate any assistance possible. Thanks in advance.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Joe West at 17:48:31.75 on 16-May-2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.479 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\______C backup\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\HEWLET~2\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Joe West\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.joewest.ca/Robin/index.htm
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: &Canada Toolbar: {94dd342d-0b1e-49a5-80ef-27f4ad584c48} - c:\program files\2 pixels\canada toolbar\CanadaToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [CTStartup] c:\program files\creative\splash screen\CTEaxSpl.EXE /run
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Jet Detection] c:\program files\creative\sbaudigy\program\ADGJDet.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\______c backup\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: Subscribe in RSS Bandit - c:\documents and settings\joe west\application data\rssbandit\iecontext_subscribebandit.htm
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\dtv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231877263671
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231877235500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxp://shared.live.com/0AWo70tq93pEHO1WfbbTIA/etc/Microsoft.Live.Folders.RichUpload.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: MagnifierExt Class: {41190c6e-1738-454f-9a85-75dbb2d50058} - c:\windows\system32\cmclur.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joewes~1\applic~1\mozilla\firefox\profiles\ahfwoml5.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\documents and settings\joe west\application data\mozilla\firefox\profiles\ahfwoml5.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npCtNPi.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [2005-3-3 25344]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-9-17 127768]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2007-10-6 138624]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;c:\windows\system32\drivers\cinemsup.sys [2005-7-2 6144]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-3 1251720]
R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-20 394952]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090513.003\NAVENG.Sys [2009-5-14 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090513.003\NavEx15.Sys [2009-5-14 876144]
R3 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-8-26 334984]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
S2 BT848;CxVCap, WDM Video Capture;c:\windows\system32\drivers\cxvcap.sys --> c:\windows\system32\drivers\cxvcap.sys [?]
S2 CXTUNER;CxTuner, WDM TvTuner;c:\windows\system32\drivers\cxtuner.sys --> c:\windows\system32\drivers\CXTUNER.sys [?]
S2 CXXBAR;CxXBar, WDM Crossbar;c:\windows\system32\drivers\cxxbar.sys --> c:\windows\system32\drivers\CXXBAR.sys [?]
S2 gupdate1c986725b0d78a9;Google Update Service (gupdate1c986725b0d78a9);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PortRST;USB Flash Memory Controller Service:PortRST;c:\windows\system32\drivers\PortRST.sys [2005-8-12 15547]
S3 SAVScan;Symantec AVScan;c:\program files\norton systemworks\norton antivirus\SAVScan.exe [2005-8-26 198368]
S3 USBFMC;USB Flash Memory Controller Service;c:\windows\system32\drivers\USBFMC.sys [2005-8-12 34612]
S3 USTOR;Verbatim Store 'n' Go;c:\windows\system32\drivers\UStork.sys [2005-9-14 19762]
S3 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2007-8-16 598856]

=============== Created Last 30 ================

2009-05-14 19:33 <DIR> --d----- C:\ComboFix
2009-05-13 22:11 161,792 a------- c:\windows\SWREG.exe
2009-05-13 22:11 98,816 a------- c:\windows\sed.exe
2009-05-13 15:27 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-05-13 15:27 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-05-13 15:27 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-05-13 15:27 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-05-13 15:27 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-05-13 15:27 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-05-13 15:07 24,661 a------- c:\windows\system32\spxcoins.dll
2009-05-13 15:07 13,312 a------- c:\windows\system32\irclass.dll
2009-05-13 15:07 13,753 a----r-- c:\windows\SET6F.tmp
2009-05-13 15:07 1,086,058 a----r-- c:\windows\SET63.tmp
2009-05-13 15:07 1,042,903 a----r-- c:\windows\SET60.tmp
2009-05-09 23:28 <DIR> --d----- C:\New Folder (2)
2009-05-07 15:26 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-05-04 15:56 430,876 a------- c:\windows\setupapi.old
2009-05-04 14:13 117 a--s---- c:\windows\system32\3459851466.dat
2009-05-01 20:51 <DIR> --d----- C:\______C backup
2009-04-30 23:14 <DIR> --d----- c:\program files\Virtual U
2009-04-29 11:54 <DIR> --d----- C:\New Folder
2009-04-25 18:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{C2AC1E50-6536-4256-ACE6-413136533580}
2009-04-25 18:29 <DIR> --d----- c:\program files\TrueSafe
2009-04-23 02:16 <DIR> --d----- c:\program files\Cobian Backup 9
2009-04-23 02:15 <DIR> --d----- c:\docume~1\joewes~1\applic~1\GoodSync
2009-04-16 20:15 <DIR> --d----- c:\windows\OvtCam
2009-04-16 20:15 <DIR> --d----- c:\windows\OVT
2009-04-16 20:15 <DIR> --d----- c:\program files\OVT

==================== Find3M ====================

2009-05-16 17:47 37,685,280 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-15 05:24 444,740 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-13 15:25 26,280 a------- c:\windows\system32\emptyregdb.dat
2009-05-01 21:20 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-30 13:06 170,551 a------- c:\windows\system32\msnslr32.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2006-12-02 18:44 1,115,728 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
1765-03-25 22:38 4,263 a--sh--- c:\windows\windllreg1c.sys
2006-11-26 18:31 88 a--shr-- c:\windows\system32\8DFEF1B4EF.sys

============= FINISH: 17:51:09.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:03 AM

Posted 30 May 2009 - 01:26 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 GumbyŠ

GumbyŠ
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 30 May 2009 - 06:49 PM

Thanks for responding. I have not done anything to fix the problem since posting the original dds log. I've been using a different computer to connect to the Internet. The problem computer has not been connected to the Internet at all. This is the updated DDS log and the updated 'attache.txt' file is attached.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Joe West at 19:33:45.45 on 30-May-2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.473 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\______C backup\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\HEWLET~2\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Joe West\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.joewest.ca/Robin/index.htm
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: &Canada Toolbar: {94dd342d-0b1e-49a5-80ef-27f4ad584c48} - c:\program files\2 pixels\canada toolbar\CanadaToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [CTStartup] c:\program files\creative\splash screen\CTEaxSpl.EXE /run
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Jet Detection] c:\program files\creative\sbaudigy\program\ADGJDet.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\______c backup\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: Subscribe in RSS Bandit - c:\documents and settings\joe west\application data\rssbandit\iecontext_subscribebandit.htm
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\dtv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231877263671
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231877235500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxp://shared.live.com/0AWo70tq93pEHO1WfbbTIA/etc/Microsoft.Live.Folders.RichUpload.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: MagnifierExt Class: {41190c6e-1738-454f-9a85-75dbb2d50058} - c:\windows\system32\cmclur.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [2005-3-3 25344]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-9-17 127768]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2007-10-6 138624]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;c:\windows\system32\drivers\cinemsup.sys [2005-7-2 6144]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-3 1251720]
R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-20 394952]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090513.003\NAVENG.Sys [2009-5-14 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090513.003\NavEx15.Sys [2009-5-14 876144]
R3 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-8-26 334984]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
S2 BT848;CxVCap, WDM Video Capture;c:\windows\system32\drivers\cxvcap.sys --> c:\windows\system32\drivers\cxvcap.sys [?]
S2 CXTUNER;CxTuner, WDM TvTuner;c:\windows\system32\drivers\cxtuner.sys --> c:\windows\system32\drivers\CXTUNER.sys [?]
S2 CXXBAR;CxXBar, WDM Crossbar;c:\windows\system32\drivers\cxxbar.sys --> c:\windows\system32\drivers\CXXBAR.sys [?]
S2 gupdate1c986725b0d78a9;Google Update Service (gupdate1c986725b0d78a9);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PortRST;USB Flash Memory Controller Service:PortRST;c:\windows\system32\drivers\PortRST.sys [2005-8-12 15547]
S3 SAVScan;Symantec AVScan;c:\program files\norton systemworks\norton antivirus\SAVScan.exe [2005-8-26 198368]
S3 USBFMC;USB Flash Memory Controller Service;c:\windows\system32\drivers\USBFMC.sys [2005-8-12 34612]
S3 USTOR;Verbatim Store 'n' Go;c:\windows\system32\drivers\UStork.sys [2005-9-14 19762]
S3 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2007-8-16 598856]

=============== Created Last 30 ================

2009-05-14 19:33 <DIR> --d----- C:\ComboFix
2009-05-13 22:11 161,792 a------- c:\windows\SWREG.exe
2009-05-13 22:11 98,816 a------- c:\windows\sed.exe
2009-05-13 15:27 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-05-13 15:27 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-05-13 15:27 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-05-13 15:27 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-05-13 15:27 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-05-13 15:27 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-05-13 15:07 24,661 a------- c:\windows\system32\spxcoins.dll
2009-05-13 15:07 13,312 a------- c:\windows\system32\irclass.dll
2009-05-13 15:07 13,753 a----r-- c:\windows\SET6F.tmp
2009-05-13 15:07 1,086,058 a----r-- c:\windows\SET63.tmp
2009-05-13 15:07 1,042,903 a----r-- c:\windows\SET60.tmp
2009-05-09 23:28 <DIR> --d----- C:\New Folder (2)
2009-05-07 15:26 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-05-04 15:56 430,876 a------- c:\windows\setupapi.old
2009-05-04 14:13 117 a--s---- c:\windows\system32\3459851466.dat
2009-05-01 20:51 <DIR> --d----- C:\______C backup
2009-04-30 23:14 <DIR> --d----- c:\program files\Virtual U

==================== Find3M ====================

2009-05-30 19:33 37,703,712 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-27 01:20 444,956 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-13 15:25 26,280 a------- c:\windows\system32\emptyregdb.dat
2009-05-01 21:20 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-30 13:06 170,551 a------- c:\windows\system32\msnslr32.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2006-12-02 18:44 1,115,728 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
1765-03-25 22:38 4,263 a--sh--- c:\windows\windllreg1c.sys
2006-11-26 18:31 88 a--shr-- c:\windows\system32\8DFEF1B4EF.sys

============= FINISH: 19:35:18.04 ===============

Attached Files



#4 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:05:03 AM

Posted 31 May 2009 - 01:23 PM

Welcome to Bleeping Computer! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  • If at any point you don't understand something, please let me know and I will be glad to explain or go more into depth for you. :thumbup2:
  • Please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  • Please keep all of your replies in this topic/thread and do not make a new topic/thread, thanks!
  • Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.
  • Please do not run other tools to remove the malware unless I ask you to until I give you the all clean. They will just mess up my fixes and make things more complicated, not fix the problem.
Please delete the old version of ComboFix that you have then follow these instructions.

Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You successfully disabled the Norton Antivirus Guard.

Download and Run ComboFix
Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Posted Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Download HijackThis
  • Download HJTInstall.exe to your desktop and run it.
  • Following the on-screen prompts.
  • After the installation has finished, browse to C:\Program Files\Trend Micro
  • Now start HijackThis.
  • Click Do a system scan and save a log file.
  • Post the log file here. (Notepad will automatically open with the log file once HijackThis! has finished scanning). Do not attach the log file.
In your next reply, please include:
  • ComboFix log
  • HijackThis log
Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#5 GumbyŠ

GumbyŠ
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 31 May 2009 - 02:24 PM

Thanks for your quick response Adam. It does sound like you have a busy schedule so I'll try and make certain I respond in a timely fashion.

ComboFix 09-05-30.06 - Joe West 1-May-2009 14:54.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.502 [GMT -4:00]
Running from: c:\documents and settings\Joe West\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-13 19:07 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-05-13 19:07 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-05-10 03:28 . 2009-05-10 03:28 -------- d-----w- C:\New Folder (2)
2009-05-04 18:13 . 2009-05-05 01:57 117 --s-a-w- c:\windows\system32\3459851466.dat
2009-05-02 00:51 . 2009-05-07 01:45 -------- d-----w- C:\______C backup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 19:03 . 2008-09-18 14:29 37763104 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-31 01:48 . 2008-09-18 14:29 445028 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-05-30 23:34 . 2008-07-12 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-14 23:50 . 2005-06-28 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-14 04:01 . 2005-06-26 01:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-13 19:25 . 2005-06-26 00:30 26280 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-07 21:42 . 2006-08-02 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-07 21:42 . 2006-08-02 21:53 -------- d-----w- c:\program files\Spyware Terminator
2009-05-07 19:58 . 2007-10-07 01:40 -------- d-----w- c:\documents and settings\Joe West\Application Data\Spyware Terminator
2009-05-05 14:48 . 2005-06-26 02:33 -------- d-----w- c:\program files\IrfanView
2009-05-02 01:20 . 2006-10-29 22:48 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-01 03:14 . 2009-05-01 03:14 -------- d-----w- c:\program files\Virtual U
2009-04-27 22:17 . 2009-04-27 22:17 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP9.dll
2009-04-27 22:16 . 2009-04-27 22:16 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP8.dll
2009-04-27 22:16 . 2009-04-27 22:16 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP7.dll
2009-04-27 22:15 . 2009-04-27 22:15 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP6.dll
2009-04-27 22:14 . 2009-04-27 22:14 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP5.dll
2009-04-27 22:14 . 2009-04-27 22:14 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP4.dll
2009-04-25 22:55 . 2005-08-31 00:51 -------- d-----w- c:\program files\Common Files\DataViz
2009-04-25 22:54 . 2008-04-01 22:40 -------- dc----w- c:\program files\Common Files\WindowsLiveInstaller
2009-04-25 22:54 . 2005-07-30 06:25 -------- d-----w- c:\program files\DivX
2009-04-25 22:54 . 2005-10-23 18:56 -------- d-----w- c:\program files\Giganews Binary Newsreader
2009-04-25 22:54 . 2006-11-19 18:24 -------- d-----w- c:\program files\InstallConstruct 6
2009-04-25 22:54 . 2006-11-19 18:16 -------- d-----w- c:\program files\Install Creator Pro
2009-04-25 22:54 . 2006-06-26 23:08 -------- d-----w- c:\program files\iTunes
2009-04-25 22:54 . 2005-06-26 02:52 -------- d-----w- c:\program files\InstallShield Installation Information
2009-04-25 22:54 . 2005-06-28 05:12 -------- d-----w- c:\program files\Lavasoft
2009-04-25 22:53 . 2005-07-01 00:14 -------- d-----w- c:\program files\Norton SystemWorks
2009-04-25 22:53 . 2009-03-05 06:00 -------- d-----w- c:\program files\QuickTax 2008
2009-04-25 22:53 . 2005-06-27 20:07 -------- d-----w- c:\program files\QuickTime
2009-04-25 22:53 . 2006-07-07 16:47 -------- d-----w- c:\program files\Samurize
2009-04-25 22:53 . 2005-07-05 21:15 -------- d-----w- c:\program files\Stamps.com Internet Postage
2009-04-25 22:53 . 2007-12-05 21:57 -------- d-----w- c:\program files\TweakNow RegCleaner Std
2009-04-25 22:53 . 2005-06-27 20:06 -------- d-----w- c:\program files\Trillian
2009-04-25 22:53 . 2005-06-29 23:36 -------- d-----w- c:\program files\Winamp
2009-04-25 22:53 . 2005-07-03 00:24 -------- d-----w- c:\program files\WS_FTP
2009-04-25 22:46 . 2009-04-25 22:29 -------- d-----w- c:\program files\TrueSafe
2009-04-25 22:29 . 2009-04-25 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\{C2AC1E50-6536-4256-ACE6-413136533580}
2009-04-25 19:35 . 2009-04-23 06:16 -------- d-----w- c:\program files\Cobian Backup 9
2009-04-23 06:15 . 2009-04-23 06:15 -------- d-----w- c:\documents and settings\Joe West\Application Data\GoodSync
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP3.exe
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP2.exe
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP1.exe
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP0.exe
2009-04-17 00:31 . 2005-06-26 02:52 -------- d-----w- c:\program files\Java
2009-04-17 00:30 . 2009-04-17 00:30 152576 ----a-w- c:\documents and settings\Joe West\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 00:20 . 2005-07-10 01:04 -------- d-----w- c:\documents and settings\Joe West\Application Data\ArcSoft
2009-04-17 00:18 . 2009-04-12 05:10 -------- d-----w- c:\program files\AllMySoftware
2009-04-17 00:16 . 2007-10-27 22:30 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-04-17 00:16 . 2005-07-10 00:53 -------- d-----w- c:\program files\ArcSoft
2009-04-17 00:15 . 2009-04-17 00:15 -------- d-----w- c:\program files\OVT
2009-04-16 16:55 . 2009-04-16 16:55 -------- d-----w- c:\program files\BookCAT
2009-04-12 15:15 . 2008-05-20 08:10 32334728 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-04-11 04:14 . 2007-02-15 22:32 -------- d-----w- c:\documents and settings\Joe West\Application Data\U3
2009-04-05 17:47 . 2009-04-05 17:47 -------- d-----w- c:\documents and settings\Joe West\Application Data\iolo
2009-04-05 17:47 . 2009-04-05 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-04-05 17:41 . 2009-04-05 17:41 72002 ----a-w- c:\windows\Internet Logs\GLB4_2nd_2009_04_05_13_27_18_small.dmp.zip
2009-04-05 17:41 . 2009-04-05 17:41 78853 ----a-w- c:\windows\Internet Logs\GLB25_2nd_2009_04_05_13_34_46_small.dmp.zip
2009-04-05 17:09 . 2009-04-05 17:09 40828 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_04_05_12_19_46_small.dmp.zip
2009-04-04 22:49 . 2009-04-25 22:29 321108 ----a-w- c:\documents and settings\All Users\Application Data\{C2AC1E50-6536-4256-ACE6-413136533580}\mia.dll
2009-04-04 22:49 . 2009-04-25 22:29 2409425 ----a-w- c:\documents and settings\All Users\Application Data\{C2AC1E50-6536-4256-ACE6-413136533580}\TrueSafeSetup.exe
2009-03-30 17:06 . 2009-03-30 17:06 170551 ----a-w- c:\windows\system32\msnslr32.exe
2009-03-24 17:54 . 2009-03-24 17:54 1998848 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181154-18125.dll
2009-03-24 17:54 . 2009-03-24 17:54 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-03-24 17:54 . 2009-03-24 17:54 997 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2009-03-24 17:54 . 2009-03-24 17:54 223584 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2009-03-18 01:14 . 2009-03-18 01:14 152576 ----a-w- c:\documents and settings\Joe West\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-11 09:43 . 2005-06-26 01:02 129344 ----a-w- c:\documents and settings\Joe West\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-09 09:19 . 2008-12-01 09:12 410984 ----a-w- c:\windows\system32\deploytk.dll
1765-03-26 02:38 . 1765-03-26 02:38 4263 --sha-w- c:\windows\windllreg1c.sys
2006-11-26 22:31 . 2006-10-29 22:48 88 --sha-r- c:\windows\system32\8DFEF1B4EF.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-14_02.27.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-31 18:40 . 2009-05-31 18:40 16384 c:\windows\temp\Perflib_Perfdata_664.dat
+ 2004-08-04 12:00 . 2009-05-14 04:06 79012 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-13 19:26 79012 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-14 04:06 475054 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-13 19:26 475054 c:\windows\system32\perfh009.dat
+ 2009-05-07 19:23 . 2009-05-31 18:41 202785 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-09-14 28672]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 53096]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 28672]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-3-30 221247]
HOTSYNCSHORTCUTNAME.lnk - c:\______c backup\Palm\Hotsync.exe [2004-6-9 471040]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2005-7-9 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{41190C6E-1738-454F-9A85-75DBB2D50058}"= "c:\windows\system32\cmclur.dll" [2007-01-31 32768]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0SsiEfr.e\0lsdelete\0\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware NewsFlash.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MySoftware NewsFlash.lnk
backup=c:\windows\pss\MySoftware NewsFlash.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OrganizeMY Outlook Express Connector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OrganizeMY Outlook Express Connector.lnk
backup=c:\windows\pss\OrganizeMY Outlook Express Connector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=c:\windows\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WordWeb.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe West^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Joe West\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe West^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Joe West\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe West^Start Menu^Programs^Startup^Password Keeper.lnk]
path=c:\documents and settings\Joe West\Start Menu\Programs\Startup\Password Keeper.lnk
backup=c:\windows\pss\Password Keeper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\iTouch\\iTouch.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\TheWeatherNetwork\\WeatherEye\\WeatherEye.exe"=
"c:\\Program Files\\Hewlett-Packard\\AiO\\hp officejet g series\\Bin\\hpoavn07.exe"=
"c:\\Program Files\\ArcSoft\\Media Card Companion\\MCC Monitor.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [03-Mar-2005 1:23 PM 25344]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [06-Oct-2007 9:52 PM 138624]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [27-Feb-2009 1:23 PM 101936]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [11-Jul-2001 12:06 PM 23153]
S2 BT848;CxVCap, WDM Video Capture;c:\windows\system32\drivers\cxvcap.sys --> c:\windows\system32\drivers\cxvcap.sys [?]
S2 CXTUNER;CxTuner, WDM TvTuner;c:\windows\system32\drivers\CXTUNER.sys --> c:\windows\system32\drivers\CXTUNER.sys [?]
S2 CXXBAR;CxXBar, WDM Crossbar;c:\windows\system32\drivers\CXXBAR.sys --> c:\windows\system32\drivers\CXXBAR.sys [?]
S2 gupdate1c986725b0d78a9;Google Update Service (gupdate1c986725b0d78a9);c:\program files\Google\Update\GoogleUpdate.exe [03-Feb-2009 10:43 PM 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06-Nov-2007 4:22 PM 34064]
S3 PortRST;USB Flash Memory Controller Service:PortRST;c:\windows\system32\drivers\PortRST.sys [12-Aug-2005 9:09 PM 15547]
S3 USBFMC;USB Flash Memory Controller Service;c:\windows\system32\drivers\USBFMC.sys [12-Aug-2005 9:09 PM 34612]
S3 USTOR;Verbatim Store 'n' Go;c:\windows\system32\drivers\UStork.sys [14-Sep-2005 10:52 PM 19762]
S3 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [16-Aug-2007 5:54 PM 598856]
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-03-26 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 02:42]

2006-06-23 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Joe West.job
- c:\progra~1\NORTON~1\NORTON~3\Navw32.exe [2005-09-23 16:13]

2009-01-05 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-06 02:02]

2009-05-15 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-04 00:20]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.joewest.ca/Robin/index.htm
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
IE: Subscribe in RSS Bandit - c:\documents and settings\Joe West\Application Data\RssBandit\iecontext_subscribebandit.htm
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxp://shared.live.com/0AWo70tq93pEHO1WfbbTIA/etc/Microsoft.Live.Folders.RichUpload.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 15:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????=2????wd??w????????\???\??????????????w-??w\???\???????x?`??????C@?\???\??????s????\??????s\????=2?A??s?=2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1364589140-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(14564)
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-31 15:09
ComboFix-quarantined-files.txt 2009-05-31 19:09
ComboFix2.txt 2009-05-14 02:37

Pre-Run: 2,166,857,728 bytes free
Post-Run: 2,151,337,984 bytes free

278




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:33 PM, on 31-May-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\______C backup\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\HEWLET~2\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Joe West\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joewest.ca/Robin/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &Canada Toolbar - {94DD342D-0B1E-49A5-80EF-27F4AD584C48} - C:\Program Files\2 Pixels\Canada Toolbar\CanadaToolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\______C backup\Palm\Hotsync.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\Joe West\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877263671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877235500
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - http://shared.live.com/0AWo70tq93pEHO1Wfbb....RichUpload.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\QuickTax 2007\ic2007pp.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c986725b0d78a9) (gupdate1c986725b0d78a9) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JOEWES~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 15538 bytes

#6 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:05:03 AM

Posted 02 June 2009 - 03:31 PM

Hello,

Sorry, I missed your response. :thumbup2:

Fix HijackThis lines
  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
Close all open windows and click on Fix checked and when you get a popup window click on Yes.

Run ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\3459851466.dat
c:\windows\system32\cmclur.dll
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{41190C6E-1738-454F-9A85-75DBB2D50058}"=-

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Run GMER
Please download gmer.zip from Gmer and save it to your desktop.
  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.
  • Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  • In Command Prompt, type in net stop gmer. Press Enter.
  • Type in exit to close Command Prompt.
Note: Do not run any programs while Gmer is running.

In your next reply, please include:
  • ComboFix log
  • GMER log
  • A new HijackThis log
Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#7 GumbyŠ

GumbyŠ
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 02 June 2009 - 11:35 PM

ComboFix 09-05-30.06 - Joe West 2-Jun-2009 17:20.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.487 [GMT -4:00]
Running from: c:\documents and settings\Joe West\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe West\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point

FILE ::
"c:\windows\system32\3459851466.dat"
"c:\windows\system32\cmclur.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3459851466.dat
c:\windows\system32\cmclur.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-05-13 19:07 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-05-13 19:07 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-05-10 03:28 . 2009-05-10 03:28 -------- d-----w- C:\New Folder (2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 21:29 . 2008-09-18 14:29 37847072 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-02 21:18 . 2008-07-12 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-02 02:10 . 2008-09-18 14:29 446012 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-05-14 23:50 . 2005-06-28 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-14 04:01 . 2005-06-26 01:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-13 19:25 . 2005-06-26 00:30 26280 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-07 21:42 . 2006-08-02 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-07 21:42 . 2006-08-02 21:53 -------- d-----w- c:\program files\Spyware Terminator
2009-05-07 19:58 . 2007-10-07 01:40 -------- d-----w- c:\documents and settings\Joe West\Application Data\Spyware Terminator
2009-05-05 14:48 . 2005-06-26 02:33 -------- d-----w- c:\program files\IrfanView
2009-05-02 01:20 . 2006-10-29 22:48 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-01 03:14 . 2009-05-01 03:14 -------- d-----w- c:\program files\Virtual U
2009-04-27 22:17 . 2009-04-27 22:17 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP9.dll
2009-04-27 22:16 . 2009-04-27 22:16 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP8.dll
2009-04-27 22:16 . 2009-04-27 22:16 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP7.dll
2009-04-27 22:15 . 2009-04-27 22:15 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP6.dll
2009-04-27 22:14 . 2009-04-27 22:14 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP5.dll
2009-04-27 22:14 . 2009-04-27 22:14 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP4.dll
2009-04-25 22:55 . 2005-08-31 00:51 -------- d-----w- c:\program files\Common Files\DataViz
2009-04-25 22:54 . 2008-04-01 22:40 -------- dc----w- c:\program files\Common Files\WindowsLiveInstaller
2009-04-25 22:54 . 2005-07-30 06:25 -------- d-----w- c:\program files\DivX
2009-04-25 22:54 . 2005-10-23 18:56 -------- d-----w- c:\program files\Giganews Binary Newsreader
2009-04-25 22:54 . 2006-11-19 18:24 -------- d-----w- c:\program files\InstallConstruct 6
2009-04-25 22:54 . 2006-11-19 18:16 -------- d-----w- c:\program files\Install Creator Pro
2009-04-25 22:54 . 2006-06-26 23:08 -------- d-----w- c:\program files\iTunes
2009-04-25 22:54 . 2005-06-26 02:52 -------- d-----w- c:\program files\InstallShield Installation Information
2009-04-25 22:54 . 2005-06-28 05:12 -------- d-----w- c:\program files\Lavasoft
2009-04-25 22:53 . 2005-07-01 00:14 -------- d-----w- c:\program files\Norton SystemWorks
2009-04-25 22:53 . 2009-03-05 06:00 -------- d-----w- c:\program files\QuickTax 2008
2009-04-25 22:53 . 2005-06-27 20:07 -------- d-----w- c:\program files\QuickTime
2009-04-25 22:53 . 2006-07-07 16:47 -------- d-----w- c:\program files\Samurize
2009-04-25 22:53 . 2005-07-05 21:15 -------- d-----w- c:\program files\Stamps.com Internet Postage
2009-04-25 22:53 . 2007-12-05 21:57 -------- d-----w- c:\program files\TweakNow RegCleaner Std
2009-04-25 22:53 . 2005-06-27 20:06 -------- d-----w- c:\program files\Trillian
2009-04-25 22:53 . 2005-06-29 23:36 -------- d-----w- c:\program files\Winamp
2009-04-25 22:53 . 2005-07-03 00:24 -------- d-----w- c:\program files\WS_FTP
2009-04-25 22:46 . 2009-04-25 22:29 -------- d-----w- c:\program files\TrueSafe
2009-04-25 22:29 . 2009-04-25 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\{C2AC1E50-6536-4256-ACE6-413136533580}
2009-04-25 19:35 . 2009-04-23 06:16 -------- d-----w- c:\program files\Cobian Backup 9
2009-04-23 06:15 . 2009-04-23 06:15 -------- d-----w- c:\documents and settings\Joe West\Application Data\GoodSync
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP3.exe
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP2.exe
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP1.exe
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP0.exe
2009-04-17 00:31 . 2005-06-26 02:52 -------- d-----w- c:\program files\Java
2009-04-17 00:30 . 2009-04-17 00:30 152576 ----a-w- c:\documents and settings\Joe West\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 00:20 . 2005-07-10 01:04 -------- d-----w- c:\documents and settings\Joe West\Application Data\ArcSoft
2009-04-17 00:18 . 2009-04-12 05:10 -------- d-----w- c:\program files\AllMySoftware
2009-04-17 00:16 . 2007-10-27 22:30 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-04-17 00:16 . 2005-07-10 00:53 -------- d-----w- c:\program files\ArcSoft
2009-04-17 00:15 . 2009-04-17 00:15 -------- d-----w- c:\program files\OVT
2009-04-16 16:55 . 2009-04-16 16:55 -------- d-----w- c:\program files\BookCAT
2009-04-12 15:15 . 2008-05-20 08:10 32334728 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-04-11 04:14 . 2007-02-15 22:32 -------- d-----w- c:\documents and settings\Joe West\Application Data\U3
2009-04-05 17:47 . 2009-04-05 17:47 -------- d-----w- c:\documents and settings\Joe West\Application Data\iolo
2009-04-05 17:47 . 2009-04-05 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-04-05 17:41 . 2009-04-05 17:41 72002 ----a-w- c:\windows\Internet Logs\GLB4_2nd_2009_04_05_13_27_18_small.dmp.zip
2009-04-05 17:41 . 2009-04-05 17:41 78853 ----a-w- c:\windows\Internet Logs\GLB25_2nd_2009_04_05_13_34_46_small.dmp.zip
2009-04-05 17:09 . 2009-04-05 17:09 40828 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_04_05_12_19_46_small.dmp.zip
2009-04-04 22:49 . 2009-04-25 22:29 321108 ----a-w- c:\documents and settings\All Users\Application Data\{C2AC1E50-6536-4256-ACE6-413136533580}\mia.dll
2009-04-04 22:49 . 2009-04-25 22:29 2409425 ----a-w- c:\documents and settings\All Users\Application Data\{C2AC1E50-6536-4256-ACE6-413136533580}\TrueSafeSetup.exe
2009-03-30 17:06 . 2009-03-30 17:06 170551 ----a-w- c:\windows\system32\msnslr32.exe
2009-03-24 17:54 . 2009-03-24 17:54 1998848 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181154-18125.dll
2009-03-24 17:54 . 2009-03-24 17:54 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-03-24 17:54 . 2009-03-24 17:54 997 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2009-03-24 17:54 . 2009-03-24 17:54 223584 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2009-03-18 01:14 . 2009-03-18 01:14 152576 ----a-w- c:\documents and settings\Joe West\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-11 09:43 . 2005-06-26 01:02 129344 ----a-w- c:\documents and settings\Joe West\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-09 09:19 . 2008-12-01 09:12 410984 ----a-w- c:\windows\system32\deploytk.dll
1765-03-26 02:38 . 1765-03-26 02:38 4263 --sha-w- c:\windows\windllreg1c.sys
2006-11-26 22:31 . 2006-10-29 22:48 88 --sha-r- c:\windows\system32\8DFEF1B4EF.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-14_02.27.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-02 21:06 . 2009-06-02 21:06 16384 c:\windows\temp\Perflib_Perfdata_658.dat
+ 2004-08-04 12:00 . 2009-05-14 04:06 79012 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-13 19:26 79012 c:\windows\system32\perfc009.dat
- 2005-06-30 06:10 . 2009-01-13 21:44 27136 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 27136 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 12288 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2005-06-30 06:10 . 2009-01-13 21:44 12288 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 4096 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-06-30 06:10 . 2009-01-13 21:44 4096 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-08-04 12:00 . 2009-05-14 04:06 475054 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-13 19:26 475054 c:\windows\system32\perfh009.dat
+ 2009-05-07 19:23 . 2009-06-02 21:07 202770 c:\windows\system32\inetsrv\MetaBase.bin
- 2005-06-30 06:10 . 2009-01-13 21:44 135168 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 135168 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2005-06-30 06:10 . 2009-01-13 21:44 593920 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 593920 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-05-10 17:42 . 2007-05-10 17:42 450392 c:\windows\Installer\$PatchCache$\Managed\9040510900063D11C8EF10054038389C\11.0.8173\SOA.DLL
+ 2007-01-17 00:32 . 2007-01-17 00:32 136032 c:\windows\Installer\$PatchCache$\Managed\9040510900063D11C8EF10054038389C\11.0.8173\MSAEXP30.DLL
+ 2007-04-19 17:54 . 2007-04-19 17:54 169312 c:\windows\Installer\$PatchCache$\Managed\9040510900063D11C8EF10054038389C\11.0.8173\ACCWIZ.DLL
+ 2007-05-10 17:43 . 2007-05-10 17:43 6688096 c:\windows\Installer\$PatchCache$\Managed\9040510900063D11C8EF10054038389C\11.0.8173\MSACCESS.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-09-14 28672]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 53096]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 28672]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-3-30 221247]
HOTSYNCSHORTCUTNAME.lnk - c:\______c backup\Palm\Hotsync.exe [2004-6-9 471040]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2005-7-9 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"EnableShellExecuteHooks"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0SsiEfr.e\0lsdelete\0\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware NewsFlash.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MySoftware NewsFlash.lnk
backup=c:\windows\pss\MySoftware NewsFlash.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OrganizeMY Outlook Express Connector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OrganizeMY Outlook Express Connector.lnk
backup=c:\windows\pss\OrganizeMY Outlook Express Connector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=c:\windows\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WordWeb.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe West^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Joe West\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe West^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Joe West\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe West^Start Menu^Programs^Startup^Password Keeper.lnk]
path=c:\documents and settings\Joe West\Start Menu\Programs\Startup\Password Keeper.lnk
backup=c:\windows\pss\Password Keeper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\iTouch\\iTouch.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\TheWeatherNetwork\\WeatherEye\\WeatherEye.exe"=
"c:\\Program Files\\Hewlett-Packard\\AiO\\hp officejet g series\\Bin\\hpoavn07.exe"=
"c:\\Program Files\\ArcSoft\\Media Card Companion\\MCC Monitor.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [03-Mar-2005 1:23 PM 25344]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [06-Oct-2007 9:52 PM 138624]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [27-Feb-2009 1:23 PM 101936]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [11-Jul-2001 12:06 PM 23153]
S2 BT848;CxVCap, WDM Video Capture;c:\windows\system32\drivers\cxvcap.sys --> c:\windows\system32\drivers\cxvcap.sys [?]
S2 CXTUNER;CxTuner, WDM TvTuner;c:\windows\system32\drivers\CXTUNER.sys --> c:\windows\system32\drivers\CXTUNER.sys [?]
S2 CXXBAR;CxXBar, WDM Crossbar;c:\windows\system32\drivers\CXXBAR.sys --> c:\windows\system32\drivers\CXXBAR.sys [?]
S2 gupdate1c986725b0d78a9;Google Update Service (gupdate1c986725b0d78a9);c:\program files\Google\Update\GoogleUpdate.exe [03-Feb-2009 10:43 PM 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06-Nov-2007 4:22 PM 34064]
S3 PortRST;USB Flash Memory Controller Service:PortRST;c:\windows\system32\drivers\PortRST.sys [12-Aug-2005 9:09 PM 15547]
S3 USBFMC;USB Flash Memory Controller Service;c:\windows\system32\drivers\USBFMC.sys [12-Aug-2005 9:09 PM 34612]
S3 USTOR;Verbatim Store 'n' Go;c:\windows\system32\drivers\UStork.sys [14-Sep-2005 10:52 PM 19762]
S3 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [16-Aug-2007 5:54 PM 598856]
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-03-26 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 02:42]

2006-06-23 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Joe West.job
- c:\progra~1\NORTON~1\NORTON~3\Navw32.exe [2005-09-23 16:13]

2009-01-05 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-06 02:02]

2009-05-15 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.joewest.ca/Robin/index.htm
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
IE: Subscribe in RSS Bandit - c:\documents and settings\Joe West\Application Data\RssBandit\iecontext_subscribebandit.htm
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxp://shared.live.com/0AWo70tq93pEHO1WfbbTIA/etc/Microsoft.Live.Folders.RichUpload.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 17:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????=2????wd??w????????\???\??????????????w-??w\???\?????????`??????C@?\???\??????s????\??????s\????=2?A??s?=2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1364589140-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll
.
Completion time: 2009-06-02 17:35
ComboFix-quarantined-files.txt 2009-06-02 21:35
ComboFix2.txt 2009-05-14 02:37

Pre-Run: 2,086,346,752 bytes free
Post-Run: 2,073,358,336 bytes free

289

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-03 00:17:42
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF00BA040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF00B6930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF00C1A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF00BA510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF00BA600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF00B6F20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF00C26E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF00C2440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF00C28B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF00B6D70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xF00C3250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF00C2CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF00B9C00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF00C3080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF00B7120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF00C2140]

Code \??\C:\DOCUME~1\JOEWES~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !
? C:\DOCUME~1\JOEWES~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\______C backup\Palm\Hotsync.exe[200] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\______C backup\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F00BECA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F00BF1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F00BF320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F00BEE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F00BEE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F00BECA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F00BF1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F00BF320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F00BECA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F00BF320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F00BF1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F00BEE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F00BF320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F00BECA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F00BF1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F00BEE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F00BECA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F00BF1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F00BF320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F00CC330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F00BECA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F00BEE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F00BF320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F00BF1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisRegisterProtocol] [F00BECA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisOpenAdapter] [F00BF1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisDeregisterProtocol] [F00BEE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisCloseAdapter] [F00BF320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F00B7670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F00B75C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F00B7770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F00B72D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\Anne's completed presentations\Dictionaries, Glossaries, Vocabulary Exercise\Dictionary, Glossary and Vocabulary Exercise.ppt 79360 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\Anne's completed presentations\Dictionaries, Glossaries, Vocabulary Exercise\Vocabulary Exercise completed.jpg 246248 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\Anne's completed presentations\Dictionaries, Glossaries, Vocabulary Exercise\Vocabulary Exercise.jpg 197762 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\Carol's Completed Presentations\Understanding Timetables and Course Outlines\Blank Timetable.jpg 256444 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\Carol's Completed Presentations\Understanding Timetables and Course Outlines\CMM115 - Communication 1 W06.doc 93696 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\Carol's Completed Presentations\Understanding Timetables and Course Outlines\Sample Timetables.jpg 1130679 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\Carol's Completed Presentations\Understanding Timetables and Course Outlines\Sample Timetables2.jpg 597842 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\Carol's Completed Presentations\Understanding Timetables and Course Outlines\Sample Timetables3.jpg 383608 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\Carol's Completed Presentations\Understanding Timetables and Course Outlines\Understanding Timetable and Course Outlines.ppt 55808 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Course Load Management\Assignment Sheet.jpg 510623 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Course Load Management\Blank Daily Planner.jpg 756605 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Course Load Management\Blank Monthly Planner.jpg 516941 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Course Load Management\Blank Weekly Planner.jpg 987969 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Course Load Management\Course Load Management.ppt 69632 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Course Load Management\Major Assignment Plan.jpg 507976 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Course Load Management\Sample Daily Planner.jpg 969795 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Course Load Management\Sample Monthly Planner.jpg 705407 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Course Load Management\Sample Weekly Planner.jpg 601464 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Math Information\Glossary Sample.jpg 943431 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Math Information\Math Information.ppt 60416 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Math Information\Math Review Sheet Checklist.jpg 523671 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Understanding Timetables and Course Outlines\Blank Timetable.jpg 256444 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Understanding Timetables and Course Outlines\CMM115 - Communication 1 W06.doc 93696 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Understanding Timetables and Course Outlines\Sample Timetables.jpg 1130679 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Understanding Timetables and Course Outlines\Sample Timetables2.jpg 597842 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Understanding Timetables and Course Outlines\Sample Timetables3.jpg 383608 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\completed presentations from other people\____Carol's Completed Presentations copied to CD format\Understanding Timetables and Course Outlines\Understanding Timetable and Course Outlines.ppt 55808 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\_Presentations\Rights and Responsibilities\Legislation\Freedom of Information and Protection of Privacy Act, R_S_O_ 1990, c_ F_31_files\laws.css 295691 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition planning 2006\_Presentations\Rights and Responsibilities\Legislation\Ontarians with Disabilities Act, 2001, S_O_ 2001, c_ 32_files\laws.css 295691 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition Planning 2007\Presentations - MINE\backup check for duplicates\Rights\Legislation\Freedom of Information and Protection of Privacy Act, R_S_O_ 1990, c_ F_31_files\laws.css 295691 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition Planning 2007\Presentations - MINE\backup check for duplicates\Rights\Legislation\Ontarians with Disabilities Act, 2001, S_O_ 2001, c_ 32_files\laws.css 295691 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition Planning 2007\Presentations - MINE\Rights\Legislation\Freedom of Information and Protection of Privacy Act, R_S_O_ 1990, c_ F_31_files\laws.css 295691 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition Planning 2007\Presentations - other peoples\Carol's Completed Presentations\Completed Presentations\Understanding Course Outlines\CMM115 - Communication 1 W06.doc 93696 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\My Documents\Transition Planning 2007\Presentations - other peoples\Carol's Completed Presentations\Completed Presentations\Understanding Course Outlines\Understanding Your Course Outlines.ppt 67584 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\Transition\files\Transition program presentations\August 29, 2007\01 Rights and Responsibilities\Legislation\Freedom of Information and Protection of Privacy Act, R_S_O_ 1990, c_ F_31_files\laws.css 295691 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\Transition\files\Transition program presentations\August 29, 2007\01 Rights and Responsibilities\Legislation\Freedom of Information and Protection of Privacy Act, R_S_O_ 1990, c_ F_31_files\_vti_cnf 0 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\Transition\files\Transition program presentations\August 29, 2007\01 Rights and Responsibilities\Legislation\Freedom of Information and Protection of Privacy Act, R_S_O_ 1990, c_ F_31_files\_vti_cnf\laws.css 521 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\Transition\files\Transition program presentations\August 29, 2007\01 Rights and Responsibilities\Legislation\Ontarians with Disabilities Act, 2001, S_O_ 2001, c_ 32_files\laws.css 295691 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\Transition\files\Transition program presentations\August 29, 2007\01 Rights and Responsibilities\Legislation\Ontarians with Disabilities Act, 2001, S_O_ 2001, c_ 32_files\_vti_cnf 0 bytes
File C:\Documents and Settings\Joe West\My Documents\My Documents old\Joe's SNO Office Documents ending 2007\Transition\files\Transition program presentations\August 29, 2007\01 Rights and Responsibilities\Legislation\Ontarians with Disabilities Act, 2001, S_O_ 2001, c_ 32_files\_vti_cnf\laws.css 496 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Chart Support Files\Templates\LetterSize Color\Landscape Horizontal Stacked Bar.3tf 57878 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Chart Support Files\Templates\LetterSize Color\Landscape Percent Stacked Bar 2.3tf 57274 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Chart Support Files\Templates\LetterSize Color\Landscape Percent Stacked Bar.3tf 67063 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Chart Support Files\Templates\LetterSize Color\Landscape Pie.3tf 59949 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Chart Support Files\Templates\LetterSize Color\Portrait Multiple Pie.3tf 70060 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Chart Support Files\Templates\LetterSize Color\Portrait Pie.3tf 72940 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Chart Support Files\Templates\LetterSize Color\Portrait Stacked Area.3tf 62793 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Corel Quattro Pro 7\QP_EN_Bar.cfg 6878 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Corel Quattro Pro 7\QP_EN_Docker.cfg 187 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Corel Quattro Pro 7\QP_EN_GlobalItemProp.cfg 2859 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Corel Quattro Pro 7\QP_EN_ShortCutKeys.cfg 148 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Corel Quattro Pro 7\QuattroPro.INI 246 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Microsoft Excel\QP_EN_Bar.cfg 12756 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Microsoft Excel\QP_EN_Docker.cfg 359 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Microsoft Excel\QP_EN_GlobalItemProp.cfg 6153 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Microsoft Excel\QP_EN_ShortCutKeys.cfg 208 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\Microsoft Excel\QuattroPro.INI 245 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\_default\QP_EN_Bar.cfg 1232 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\_default\QP_EN_Docker.cfg 187 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\_default\QP_EN_GlobalItemProp.cfg 237 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\_default\QP_EN_ShortCutKeys.cfg 148 bytes
File C:\Program Files\Corel\WordPerfect Office 2002\Config\QuattroPro10\_default\QuattroPro.INI 1008 bytes

---- EOF - GMER 1.0.15 ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:53 AM, on 03-Jun-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\______C backup\Palm\Hotsync.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\PROGRA~1\HEWLET~2\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Joe West\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joewest.ca/Robin/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &Canada Toolbar - {94DD342D-0B1E-49A5-80EF-27F4AD584C48} - C:\Program Files\2 Pixels\Canada Toolbar\CanadaToolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1614895754-1364589140-725345543-1003\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe (User '?')
O4 - HKUS\S-1-5-21-1614895754-1364589140-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\______C backup\Palm\Hotsync.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\Joe West\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877263671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877235500
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - http://shared.live.com/0AWo70tq93pEHO1Wfbb....RichUpload.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\QuickTax 2007\ic2007pp.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c986725b0d78a9) (gupdate1c986725b0d78a9) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JOEWES~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 15567 bytes

#8 GumbyŠ

GumbyŠ
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 02 June 2009 - 11:48 PM

After GMER took about 7 hours to run I ended up with several error messages as follows (I was still able to save the logfile and I hope it's complete and the error messages are not relevant).

Apcsystray.exe - Application Error
Instruction at 0x00435643 referenced memory 0x00435643. The required data was not placed into memory because of an I/O error status of 0x000009a

ccAPP.exe - Application Error
Instruction at 0x7c37a588 referenced memory 0x6af7772c. The required data was not placed into memory because of an I/O error status of 0x000009a

Winlogon.exe - Application Error
Instruction at 0x75b9138 referenced memory 0x75b9138. The required data was not placed into memory because of an I/O error status of 0x000009a

Windows delayed write failed
Windows was unable to save all the data for the file \$Directory. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Windows delayed write failed
Windows was unable to save all the data for the file \$Mft. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Windows delayed write failed
Windows was unable to save all the data for the file \Windows\system32\config\SysEvent.evt. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Windows delayed write failed
Windows was unable to save all the data for the file \$Mft. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Windows delayed write failed
Windows was unable to save all the data for the file \Device\HarddiskVolume1\WINDOWS\system32\config\AppEvent.Evt. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Windows delayed write failed
Windows was unable to save all the data for the file \Device\HarddiskVolume1\WINDOWS\system32\config\SysEvent.Evt. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.


Also, after completing GMER when I tried the command net stop gmer I received the following error
system error 1060 has occurred.
The specified service does not exist as an installed service.

GumbyŠ

#9 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:05:03 AM

Posted 03 June 2009 - 03:13 PM

Hi there,

Good job. I'm not sure why GMER gave you those errors, but I believe them to be irrelevant at this point.

Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
In your next reply, please include:
  • Kaspersky report
  • How is it running now?
  • A new HijackThis log
Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#10 GumbyŠ

GumbyŠ
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 04 June 2009 - 01:32 AM

Can't really say how well the computer is running now since I only start it up to run these fixes. I've been using a different computer to connect to the Internet and submit these log files.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 03, 2009 23:10:36
Records in database: 2303643
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 271753
Threat name: 14
Infected objects: 49
Suspicious objects: 5
Duration of the scan: 08:59:10


File name / Threat name / Threats count
C:\Documents and Settings\Joe West\.housecall6.6\Quarantine\loaderadv237.jar-2d8175f5-303d8b30.zip.bac_a02544 Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\Documents and Settings\Joe West\.housecall6.6\Quarantine\loaderadv505.jar-47cfdd92-611a3055.zip.bac_a02544 Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\Documents and Settings\Joe West\.housecall6.6\Quarantine\loaderadv88.jar-18f84f3f-33c0eff6.zip.bac_a02544 Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\Documents and Settings\Joe West\.housecall6.6\Quarantine\windexserv.dll.bac_a02544 Infected: not-a-virus:AdWare.Win32.BHO.ba 1
C:\Documents and Settings\Joe West\Local Settings\Application Data\Identities\{F45AE7D5-CEB6-4C0E-A2B5-0A9577BFC66B}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Joe West\Local Settings\Application Data\Identities\{F45AE7D5-CEB6-4C0E-A2B5-0A9577BFC66B}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Fiffraud.p 1
C:\Documents and Settings\Joe West\Local Settings\Application Data\Identities\{F45AE7D5-CEB6-4C0E-A2B5-0A9577BFC66B}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.qy 3
C:\Documents and Settings\Joe West\Local Settings\Application Data\Identities\{F45AE7D5-CEB6-4C0E-A2B5-0A9577BFC66B}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.rw 1
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\mail.joewest-2.ca\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\mail.joewest-2.ca\Inbox Infected: Trojan-Spy.HTML.Fiffraud.p 1
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\mail.joewest-2.ca\Inbox Infected: Trojan-Spy.HTML.Bankfraud.qy 3
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\mail.joewest-2.ca\Inbox Infected: Trojan-Spy.HTML.Bankfraud.rw 1
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\mail.joewest-2.ca\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\mail.joewest-2.ca\Trash Infected: Trojan-Spy.HTML.Fiffraud.p 1
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\mail.joewest-2.ca\Trash Infected: Trojan-Spy.HTML.Bankfraud.qy 3
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\mail.joewest-2.ca\Trash Infected: Trojan-Spy.HTML.Bankfraud.rw 1
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\soonet.ca\previous Inbox Infected: not-a-virus:Monitor.Win32.RedHand.a 1
C:\Program Files\Netscape\Users\Joe@JoeWest.Ca\tmteikz0.slt\Mail\soonet.ca\previous Inbox Infected: Email-Worm.Win32.BadtransII 1
C:\Program Files\Netscape\Users\jsw\Mail\mail.joewest-2.ca\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Netscape\Users\jsw\Mail\mail.joewest-2.ca\Inbox Infected: Trojan-Spy.HTML.Fiffraud.p 1
C:\Program Files\Netscape\Users\jsw\Mail\mail.joewest-2.ca\Inbox Infected: Trojan-Spy.HTML.Bankfraud.qy 3
C:\Program Files\Netscape\Users\jsw\Mail\mail.joewest-2.ca\Inbox Infected: Trojan-Spy.HTML.Bankfraud.rw 1
C:\Program Files\Netscape\Users\jsw\Mail\mail.joewest-2.ca\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Netscape\Users\jsw\Mail\mail.joewest-2.ca\Trash Infected: Trojan-Spy.HTML.Fiffraud.p 1
C:\Program Files\Netscape\Users\jsw\Mail\mail.joewest-2.ca\Trash Infected: Trojan-Spy.HTML.Bankfraud.qy 3
C:\Program Files\Netscape\Users\jsw\Mail\mail.joewest-2.ca\Trash Infected: Trojan-Spy.HTML.Bankfraud.rw 1
C:\Program Files\Netscape\Users\jsw\Mail\mail.vianet.ca\Inbox Infected: Trojan-Spy.HTML.Fraud.av 1
C:\Program Files\Netscape\Users\jsw\Mail\mail.vianet.ca\previous Inbox Infected: not-a-virus:Monitor.Win32.RedHand.a 1
C:\Program Files\Netscape\Users\jsw\Mail\mail.vianet.ca\previous Inbox Infected: Email-Worm.Win32.BadtransII 1
C:\Program Files\Netscape\Users\jsw\Mail\soonet.ca\previous Inbox Infected: not-a-virus:Monitor.Win32.RedHand.a 1
C:\Program Files\Netscape\Users\jsw\Mail\soonet.ca\previous Inbox Infected: Email-Worm.Win32.BadtransII 1
C:\Program Files\Netscape\Users\jsw\Mail\Trash Infected: Trojan-Spy.HTML.Bankfraud.qy 3
C:\Program Files\Netscape\Users\jsw\Mail\Trash Infected: Trojan-Spy.HTML.Bankfraud.rw 3
C:\Program Files\Netscape\Users\jsw\Mail\Trash Infected: Trojan-Spy.HTML.Fiffraud.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\1171305726.exe.vir Infected: Trojan-Clicker.Win32.VB.bku 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ac3apie.exe.vir Infected: Backdoor.Win32.IRCBot.jcx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\digiwet.dll.vir Infected: Backdoor.Win32.Zdoogu.bt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\port135sik.sys.vir Infected: Rootkit.Win32.Agent.ikz 1
C:\______C backup\Palm\software from Kazaa\over 100 programs\palmsoftware - downloads\vnc-3.3.3r2_x86_win32 - Access any PC off your PC!.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
C:\______C backup\Palm\software from Kazaa\Palm OS Software Over 100 Programs.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:54 AM, on 04-Jun-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\______C backup\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\HEWLET~2\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Joe West\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joewest.ca/Robin/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &Canada Toolbar - {94DD342D-0B1E-49A5-80EF-27F4AD584C48} - C:\Program Files\2 Pixels\Canada Toolbar\CanadaToolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\______C backup\Palm\Hotsync.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\Joe West\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877263671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877235500
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - http://shared.live.com/0AWo70tq93pEHO1Wfbb....RichUpload.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\QuickTax 2007\ic2007pp.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c986725b0d78a9) (gupdate1c986725b0d78a9) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JOEWES~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 15548 bytes

#11 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:05:03 AM

Posted 04 June 2009 - 03:25 PM

Hi there,

Ok, thanks. There are just some emails now to deal with but other than those it appears to be clean at this point. Once the emails are gone, please start using it. Not for anything important, just general things so that you can see how it is running.

You have quite a few infected emails in your email clients.

For outlook express, you should backup any important emails and then clean out the deleted items folder.

For Netscape, you should backup any important emails as well and clean out the following folders:
  • Inbox
  • Trash
  • Previous Inbox
Please do this for all of your accounts.

Then, I will need to see another online scan:

Eset Online Scanner

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

In your next reply, please include:
  • ESET log
  • A new HijackThis log
Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#12 GumbyŠ

GumbyŠ
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 04 June 2009 - 08:05 PM

The infected computer has been my 'workhorse' for almost 7 years. I stopped using it roughly within an hour of it being infected. I tried for a number of days to fix the problem to no avail. That's why I've sought a solution from bleepingcomputers. I discovered the infection by the fact that Norton Anti-virus was disabled and not by me. I tried to re-initialize it but it did not work. I ran a virus scan and requested the infections to be removed. I then tried Spybot Search & Destroy (which recognized the same infections) and tried to remove them to no avail. When I first noticed the problem I disconnected from the Internet to ensure the data on my computer remained as secure as possible.

Regarding the current infections in my email, in order to transfer my email from Netscape 7.2 to Outlook 2003 I had to transfer my Netscape 7.2 to Netscape 4.xx then to Outlook Express then to Outlook 2003. That was the only online method I could find to move my several years of emails from Netscape 7.2 to Outlook 2003. I've deleted all of the emails for Outlook Express and Netscape 4.xx as well as 7.2. I'm surprised that it did not find the same infections in the Outlook 2003 PST file. I will make certain I follow the same procedures to ensure my emails in Outlook 2003 are safe.

I guess what I'm saying is that there probably would not be much difference in how my computer would act now compared to when I first contacted bleepingcomputers since I am so paranoid that I noticed the problem so early. Suffice it to say, I'm more concerned about what data can 'get out' via the Internet than what might happen on the computer without access to the Internet.

The preceding was only some background info and was not intended to be of any critical insight. I do appreciate all your assistance to return my workhorse to it's previous glory. Otherwise I would have to reformat and start from scratch. Not a good idea since I have data that goes back to 1986.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=1013a4f639827f4796a3f8963e8fc764
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-05 12:03:53
# local_time=2009-06-04 08:03:53 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=3586 25 100 88 119527187500
# compatibility_mode=7937 61 100 100 524383467500000
# scanned=265457
# found=7
# cleaned=0
# scan_time=11060
C:\Documents and Settings\Joe West\Local Settings\Application Data\Identities\{F45AE7D5-CEB6-4C0E-A2B5-0A9577BFC66B}\Microsoft\Outlook Express\HUMOUR.dbx Coke joke 00000000000000000000000000000000
C:\downloaded software\Bug Doctor\BugdoctorSetup.exe Win32/Adware.BugDoctor application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\1171305726.exe.vir multiple threats 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ac3apie.exe.vir Win32/IRCBot.ANM trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\digiwet.dll.vir Win32/TrojanDownloader.Bredolab.AA trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\port135sik.sys.vir Win32/TrojanDownloader.Wigon.BS trojan 00000000000000000000000000000000
C:\WINDOWS\system32\tidxrv.dll Win32/Adware.VBAd application 00000000000000000000000000000000


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:15 PM, on 04-Jun-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\______C backup\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\HEWLET~2\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Documents and Settings\Joe West\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joewest.ca/Robin/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &Canada Toolbar - {94DD342D-0B1E-49A5-80EF-27F4AD584C48} - C:\Program Files\2 Pixels\Canada Toolbar\CanadaToolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\______C backup\Palm\Hotsync.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\Joe West\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877263671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877235500
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - http://shared.live.com/0AWo70tq93pEHO1Wfbb....RichUpload.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\QuickTax 2007\ic2007pp.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c986725b0d78a9) (gupdate1c986725b0d78a9) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JOEWES~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 15682 bytes

#13 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:05:03 AM

Posted 04 June 2009 - 10:20 PM

Hello,

Run ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
C:\downloaded software\Bug Doctor\BugdoctorSetup.exe
C:\WINDOWS\system32\tidxrv.dll

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

That was smart disconnecting it right away. You did the right thing. Have you had the chance to try it yet and see if it is running alright?

In your next reply, please include:
  • ComboFix log
  • A new HijackThis log
Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#14 GumbyŠ

GumbyŠ
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 04 June 2009 - 11:48 PM

The computer is running OK compared to before the infection. It's the connection to the Internet I'm more concerned with and I'll be very happy when the computer is 'clean'. Here are the newest logs.

ComboFix 09-05-30.06 - Joe West 5-Jun-2009 0:01.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.509 [GMT -4:00]
Running from: c:\documents and settings\Joe West\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe West\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\downloaded software\Bug Doctor\BugdoctorSetup.exe"
"c:\windows\system32\tidxrv.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\downloaded software\Bug Doctor\BugdoctorSetup.exe
c:\windows\system32\tidxrv.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-04 22:04 . 2009-06-05 00:33 3038389 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\22A34002.exe
2009-06-04 20:56 . 2009-06-04 20:56 -------- d-----w- c:\program files\ESET
2009-05-13 19:07 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-05-13 19:07 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-05-10 03:28 . 2009-05-10 03:28 -------- d-----w- C:\New Folder (2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 03:31 . 2008-09-18 14:29 446012 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-05 03:31 . 2008-09-18 14:29 37898272 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-04 23:25 . 2008-07-12 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-03 20:44 . 2005-06-26 01:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-14 23:50 . 2005-06-28 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-13 19:25 . 2005-06-26 00:30 26280 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-07 21:42 . 2006-08-02 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-07 21:42 . 2006-08-02 21:53 -------- d-----w- c:\program files\Spyware Terminator
2009-05-07 19:58 . 2007-10-07 01:40 -------- d-----w- c:\documents and settings\Joe West\Application Data\Spyware Terminator
2009-05-05 14:48 . 2005-06-26 02:33 -------- d-----w- c:\program files\IrfanView
2009-05-02 01:20 . 2006-10-29 22:48 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-01 03:14 . 2009-05-01 03:14 -------- d-----w- c:\program files\Virtual U
2009-04-27 22:17 . 2009-04-27 22:17 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP9.dll
2009-04-27 22:16 . 2009-04-27 22:16 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP8.dll
2009-04-27 22:16 . 2009-04-27 22:16 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP7.dll
2009-04-27 22:15 . 2009-04-27 22:15 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP6.dll
2009-04-27 22:14 . 2009-04-27 22:14 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP5.dll
2009-04-27 22:14 . 2009-04-27 22:14 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP4.dll
2009-04-25 22:55 . 2005-08-31 00:51 -------- d-----w- c:\program files\Common Files\DataViz
2009-04-25 22:54 . 2008-04-01 22:40 -------- dc----w- c:\program files\Common Files\WindowsLiveInstaller
2009-04-25 22:54 . 2005-07-30 06:25 -------- d-----w- c:\program files\DivX
2009-04-25 22:54 . 2005-10-23 18:56 -------- d-----w- c:\program files\Giganews Binary Newsreader
2009-04-25 22:54 . 2006-11-19 18:24 -------- d-----w- c:\program files\InstallConstruct 6
2009-04-25 22:54 . 2006-11-19 18:16 -------- d-----w- c:\program files\Install Creator Pro
2009-04-25 22:54 . 2006-06-26 23:08 -------- d-----w- c:\program files\iTunes
2009-04-25 22:54 . 2005-06-26 02:52 -------- d-----w- c:\program files\InstallShield Installation Information
2009-04-25 22:54 . 2005-06-28 05:12 -------- d-----w- c:\program files\Lavasoft
2009-04-25 22:53 . 2005-07-01 00:14 -------- d-----w- c:\program files\Norton SystemWorks
2009-04-25 22:53 . 2009-03-05 06:00 -------- d-----w- c:\program files\QuickTax 2008
2009-04-25 22:53 . 2005-06-27 20:07 -------- d-----w- c:\program files\QuickTime
2009-04-25 22:53 . 2006-07-07 16:47 -------- d-----w- c:\program files\Samurize
2009-04-25 22:53 . 2005-07-05 21:15 -------- d-----w- c:\program files\Stamps.com Internet Postage
2009-04-25 22:53 . 2007-12-05 21:57 -------- d-----w- c:\program files\TweakNow RegCleaner Std
2009-04-25 22:53 . 2005-06-27 20:06 -------- d-----w- c:\program files\Trillian
2009-04-25 22:53 . 2005-06-29 23:36 -------- d-----w- c:\program files\Winamp
2009-04-25 22:53 . 2005-07-03 00:24 -------- d-----w- c:\program files\WS_FTP
2009-04-25 22:46 . 2009-04-25 22:29 -------- d-----w- c:\program files\TrueSafe
2009-04-25 22:29 . 2009-04-25 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\{C2AC1E50-6536-4256-ACE6-413136533580}
2009-04-25 19:35 . 2009-04-23 06:16 -------- d-----w- c:\program files\Cobian Backup 9
2009-04-23 06:15 . 2009-04-23 06:15 -------- d-----w- c:\documents and settings\Joe West\Application Data\GoodSync
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP3.exe
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP2.exe
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP1.exe
2009-04-20 19:46 . 2009-04-20 19:46 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP0.exe
2009-04-17 00:31 . 2005-06-26 02:52 -------- d-----w- c:\program files\Java
2009-04-17 00:30 . 2009-04-17 00:30 152576 ----a-w- c:\documents and settings\Joe West\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 00:20 . 2005-07-10 01:04 -------- d-----w- c:\documents and settings\Joe West\Application Data\ArcSoft
2009-04-17 00:18 . 2009-04-12 05:10 -------- d-----w- c:\program files\AllMySoftware
2009-04-17 00:16 . 2007-10-27 22:30 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-04-17 00:16 . 2005-07-10 00:53 -------- d-----w- c:\program files\ArcSoft
2009-04-17 00:15 . 2009-04-17 00:15 -------- d-----w- c:\program files\OVT
2009-04-16 16:55 . 2009-04-16 16:55 -------- d-----w- c:\program files\BookCAT
2009-04-12 15:15 . 2008-05-20 08:10 32334728 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-04-11 04:14 . 2007-02-15 22:32 -------- d-----w- c:\documents and settings\Joe West\Application Data\U3
2009-04-05 17:41 . 2009-04-05 17:41 72002 ----a-w- c:\windows\Internet Logs\GLB4_2nd_2009_04_05_13_27_18_small.dmp.zip
2009-04-05 17:41 . 2009-04-05 17:41 78853 ----a-w- c:\windows\Internet Logs\GLB25_2nd_2009_04_05_13_34_46_small.dmp.zip
2009-04-05 17:09 . 2009-04-05 17:09 40828 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_04_05_12_19_46_small.dmp.zip
2009-04-04 22:49 . 2009-04-25 22:29 321108 ----a-w- c:\documents and settings\All Users\Application Data\{C2AC1E50-6536-4256-ACE6-413136533580}\mia.dll
2009-04-04 22:49 . 2009-04-25 22:29 2409425 ----a-w- c:\documents and settings\All Users\Application Data\{C2AC1E50-6536-4256-ACE6-413136533580}\TrueSafeSetup.exe
2009-03-30 17:06 . 2009-03-30 17:06 170551 ----a-w- c:\windows\system32\msnslr32.exe
2009-03-24 17:54 . 2009-03-24 17:54 1998848 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181154-18125.dll
2009-03-24 17:54 . 2009-03-24 17:54 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-03-24 17:54 . 2009-03-24 17:54 997 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2009-03-24 17:54 . 2009-03-24 17:54 223584 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2009-03-18 01:14 . 2009-03-18 01:14 152576 ----a-w- c:\documents and settings\Joe West\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-11 09:43 . 2005-06-26 01:02 129344 ----a-w- c:\documents and settings\Joe West\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-09 09:19 . 2008-12-01 09:12 410984 ----a-w- c:\windows\system32\deploytk.dll
1765-03-26 02:38 . 1765-03-26 02:38 4263 --sha-w- c:\windows\windllreg1c.sys
2006-11-26 22:31 . 2006-10-29 22:48 88 --sha-r- c:\windows\system32\8DFEF1B4EF.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-14_02.27.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-05 03:52 . 2009-06-05 03:52 16384 c:\windows\temp\Perflib_Perfdata_314.dat
+ 2004-08-04 12:00 . 2009-05-14 04:06 79012 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-13 19:26 79012 c:\windows\system32\perfc009.dat
- 2005-06-30 06:10 . 2009-01-13 21:44 27136 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 27136 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 12288 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2005-06-30 06:10 . 2009-01-13 21:44 12288 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 4096 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-06-30 06:10 . 2009-01-13 21:44 4096 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-08-04 12:00 . 2009-05-14 04:06 475054 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-13 19:26 475054 c:\windows\system32\perfh009.dat
+ 2009-05-07 19:23 . 2009-06-05 03:53 202770 c:\windows\system32\inetsrv\MetaBase.bin
- 2005-06-30 06:10 . 2009-01-13 21:44 135168 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 135168 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2005-06-30 06:10 . 2009-01-13 21:44 593920 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2005-06-30 06:10 . 2009-06-01 19:05 593920 c:\windows\Installer\{90150409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-05-10 17:42 . 2007-05-10 17:42 450392 c:\windows\Installer\$PatchCache$\Managed\9040510900063D11C8EF10054038389C\11.0.8173\SOA.DLL
+ 2007-01-17 00:32 . 2007-01-17 00:32 136032 c:\windows\Installer\$PatchCache$\Managed\9040510900063D11C8EF10054038389C\11.0.8173\MSAEXP30.DLL
+ 2007-04-19 17:54 . 2007-04-19 17:54 169312 c:\windows\Installer\$PatchCache$\Managed\9040510900063D11C8EF10054038389C\11.0.8173\ACCWIZ.DLL
+ 2007-05-10 17:43 . 2007-05-10 17:43 6688096 c:\windows\Installer\$PatchCache$\Managed\9040510900063D11C8EF10054038389C\11.0.8173\MSACCESS.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-09-14 28672]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 53096]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 28672]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-3-30 221247]
HOTSYNCSHORTCUTNAME.lnk - c:\______c backup\Palm\Hotsync.exe [2004-6-9 471040]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2005-7-9 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"EnableShellExecuteHooks"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0SsiEfr.e\0lsdelete\0\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware NewsFlash.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MySoftware NewsFlash.lnk
backup=c:\windows\pss\MySoftware NewsFlash.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OrganizeMY Outlook Express Connector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OrganizeMY Outlook Express Connector.lnk
backup=c:\windows\pss\OrganizeMY Outlook Express Connector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=c:\windows\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WordWeb.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe West^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Joe West\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe West^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Joe West\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe West^Start Menu^Programs^Startup^Password Keeper.lnk]
path=c:\documents and settings\Joe West\Start Menu\Programs\Startup\Password Keeper.lnk
backup=c:\windows\pss\Password Keeper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\iTouch\\iTouch.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\TheWeatherNetwork\\WeatherEye\\WeatherEye.exe"=
"c:\\Program Files\\Hewlett-Packard\\AiO\\hp officejet g series\\Bin\\hpoavn07.exe"=
"c:\\Program Files\\ArcSoft\\Media Card Companion\\MCC Monitor.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [03-Mar-2005 1:23 PM 25344]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [06-Oct-2007 9:52 PM 138624]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [27-Feb-2009 1:23 PM 101936]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [11-Jul-2001 12:06 PM 23153]
S2 BT848;CxVCap, WDM Video Capture;c:\windows\system32\drivers\cxvcap.sys --> c:\windows\system32\drivers\cxvcap.sys [?]
S2 CXTUNER;CxTuner, WDM TvTuner;c:\windows\system32\drivers\CXTUNER.sys --> c:\windows\system32\drivers\CXTUNER.sys [?]
S2 CXXBAR;CxXBar, WDM Crossbar;c:\windows\system32\drivers\CXXBAR.sys --> c:\windows\system32\drivers\CXXBAR.sys [?]
S2 gupdate1c986725b0d78a9;Google Update Service (gupdate1c986725b0d78a9);c:\program files\Google\Update\GoogleUpdate.exe [03-Feb-2009 10:43 PM 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06-Nov-2007 4:22 PM 34064]
S3 PortRST;USB Flash Memory Controller Service:PortRST;c:\windows\system32\drivers\PortRST.sys [12-Aug-2005 9:09 PM 15547]
S3 USBFMC;USB Flash Memory Controller Service;c:\windows\system32\drivers\USBFMC.sys [12-Aug-2005 9:09 PM 34612]
S3 USTOR;Verbatim Store 'n' Go;c:\windows\system32\drivers\UStork.sys [14-Sep-2005 10:52 PM 19762]
S3 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [16-Aug-2007 5:54 PM 598856]
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-06-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 02:42]

2006-06-23 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Joe West.job
- c:\progra~1\NORTON~1\NORTON~3\Navw32.exe [2005-09-23 16:13]

2009-01-05 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-06 02:02]

2009-06-05 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.joewest.ca/Robin/index.htm
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
IE: Subscribe in RSS Bandit - c:\documents and settings\Joe West\Application Data\RssBandit\iecontext_subscribebandit.htm
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxp://shared.live.com/0AWo70tq93pEHO1WfbbTIA/etc/Microsoft.Live.Folders.RichUpload.cab
FF - ProfilePath - c:\documents and settings\Joe West\Application Data\Mozilla\Firefox\Profiles\ahfwoml5.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\documents and settings\Joe West\Application Data\Mozilla\Firefox\Profiles\ahfwoml5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npCtNPi.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 00:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????=2????wd??w????????\???\??????????????w-??w\???\?????????`??????C@?\???\??????s????\??????s\????=2?A??s?=2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1364589140-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll
.
Completion time: 2009-06-05 0:16
ComboFix-quarantined-files.txt 2009-06-05 04:16
ComboFix2.txt 2009-06-02 21:35
ComboFix3.txt 2009-05-14 02:37

Pre-Run: 3,276,468,224 bytes free
Post-Run: 3,337,281,536 bytes free

301

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:54 AM, on 05-Jun-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\______C backup\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\HEWLET~2\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Joe West\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joewest.ca/Robin/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOE WEST\Application Data\Mozilla\Profiles\default\y1cjr20j.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &Canada Toolbar - {94DD342D-0B1E-49A5-80EF-27F4AD584C48} - C:\Program Files\2 Pixels\Canada Toolbar\CanadaToolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\______C backup\Palm\Hotsync.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\Joe West\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877263671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231877235500
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - http://shared.live.com/0AWo70tq93pEHO1Wfbb....RichUpload.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\QuickTax 2007\ic2007pp.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c986725b0d78a9) (gupdate1c986725b0d78a9) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JOEWES~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 15599 bytes

#15 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:05:03 AM

Posted 06 June 2009 - 12:01 PM

You should empty your Norton Quarantine.

Congratulations, you are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them. If after 48 hours you have not responded to this, then I will assume you have no questions and have the topic closed.

First, lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
Flush the system restore points
  • Right click on My Computer and select Properties.
  • Select the System Restore tab.
  • Check (tick) Turn off system restore on all drives box.
  • Click Apply.
  • Uncheck (untick) Turn off system restore on all drives box.
  • Click OK.
  • Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update


Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

I also recommend, if it's not already on, to enable Automatic updates. It will notify you whenever there are new updates available. Here's how:
  • Go to Start > Control Panel > Automatic Updates
  • Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  • Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  • Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.
Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 6
  • Open Internet Explorer. Click on Tools > Options.
  • Click on the Security tab.
  • Click on the Internet icon.
  • Click on the Custom Level button.
  • Under Download signed ActiveX controls, select Prompt.
  • Under Download unsigned ActiveX controls, select Disable.
  • Under Initialize and script ActiveX controls not marked as safe, select Disable.
  • Under Installation of desktop items, select Prompt.
  • Under Launching programs and files in an IFRAME, select Prompt.
  • Under Navigate sub-frames across different domains, select Prompt.
  • Under Allow paste operations via script, select Disable.
  • Click OK to apply these settings.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Press OK to exit the Internet Properties page.
For a pictorial guide, please refer to this article.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection
  • Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  • Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  • SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Happy surfing and stay clean!

Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users