Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UACinit.dll issues


  • Please log in to reply
15 replies to this topic

#1 psyclone

psyclone

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 16 May 2009 - 11:49 PM

Hi

I'm hoping someone here can help with an issue I have identified with my PC. After much googling & reading I figured I had a virus/trojan and have tried to fix it. I have downloaded Malware bytes and run it a number of times. The first time it found a number of issues and cleaned most, although I had to restart to delete some items. I did this but after a rescan it identified an usse with UACinit.dll and said to reboot so it could delete. I have now done this a number of times from normal mode, safe mode etc but it wouldn't work.

I have since downloaded combofix and run that as well, which deleted a number of files. I would like someone to step me through the final process so that I can ensure I have deleted it completely.

Here is my last Malwarebytes log before I ran ComboFix.


Malwarebytes' Anti-Malware 1.36
Database version: 2143
Windows 5.1.2600 Service Pack 3

17/05/2009 12:53:11 PM
mbam-log-2009-05-17 (12-53-11).txt

Scan type: Quick Scan
Objects scanned: 88941
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


__________________________________

And here is my last HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:40 PM, on 17/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158968232375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...327/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B7CC692-DEF0-4C9E-A11A-530DB952D56D}: NameServer = 10.0.0.138
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12454 bytes




As I said I have since run ComboFix so can post that log if required...I didn't do it yet because the rules say not to until someone asks.


Thanks
Steven

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 PM

Posted 17 May 2009 - 02:55 AM

Hello Steven,

Posted Image

Actually you shouldn't run ComboFix at all without some help. There is much more to it than meets the eye and you could kill your machine with it. :thumbup2:

Please do post the log so I can be sure it got all of the rootkit.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 psyclone

psyclone
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 May 2009 - 04:07 AM

Hi tea

Since my post I have been trying a number of other things to try and resolve this and some other issues with my PC.

Here is my latest ComboFix log. I will post latest HJT log below it. Thanks for your help!

ComboFix 09-05-16.05 - Steven & Adam 17/05/2009 18:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.546 [GMT 10:00]
Running from: c:\documents and settings\Steven & Adam\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 08:18 . 2009-05-17 08:18 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-17 07:56 . 2009-05-17 08:19 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-17 07:52 . 2009-05-17 07:59 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-17 07:52 . 2009-05-17 07:59 -------- d-----w c:\program files\NOS
2009-05-17 03:46 . 2009-05-17 03:46 -------- d-----w c:\program files\Trend Micro
2009-05-17 00:38 . 2009-05-17 00:38 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\Malwarebytes
2009-05-17 00:26 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-17 00:26 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 00:26 . 2009-05-17 00:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-17 00:26 . 2009-05-17 00:38 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 08:12 . 2009-05-16 08:12 -------- d--h--w c:\windows\PIF
2009-05-15 21:42 . 2009-05-15 21:42 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\Windows Search
2009-05-15 21:22 . 2009-05-15 22:03 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-15 21:21 . 2009-05-15 21:21 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-15 21:21 . 2009-05-17 07:10 -------- d-----w c:\program files\Windows Desktop Search
2009-05-15 21:21 . 2009-05-15 21:21 -------- d-----w c:\windows\system32\GroupPolicy
2009-05-15 21:19 . 2008-03-07 17:02 29696 -c----w c:\windows\system32\dllcache\mimefilt.dll
2009-05-15 21:19 . 2008-03-07 17:02 98304 -c----w c:\windows\system32\dllcache\nlhtml.dll
2009-05-15 21:19 . 2008-03-07 17:02 192000 -c----w c:\windows\system32\dllcache\offfilt.dll
2009-05-14 09:05 . 2008-11-10 01:41 32656 ----a-w c:\windows\system32\msonpmon.dll
2009-05-14 09:04 . 2009-05-14 09:54 -------- d-----w c:\program files\Microsoft Works
2009-05-14 09:02 . 2009-05-14 09:02 -------- d-----w c:\program files\Microsoft.NET
2009-05-14 08:58 . 2009-05-14 08:58 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-05-14 08:55 . 2009-05-14 08:55 -------- d-----w c:\documents and settings\Steven & Adam\Local Settings\Application Data\Microsoft Help
2009-05-14 08:55 . 2009-05-14 12:24 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-14 08:54 . 2009-05-14 08:54 -------- d--h--r C:\MSOCache
2009-05-09 23:58 . 2009-05-09 23:58 3532 ----a-w C:\drmHeader.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 08:33 . 2006-11-02 00:43 -------- d-----w c:\program files\Common Files\Real
2009-05-17 08:28 . 2006-09-23 15:18 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-17 07:55 . 2006-09-24 10:50 -------- d-----w c:\program files\Common Files\Adobe
2009-05-17 07:10 . 2008-06-28 03:20 -------- d-----w c:\program files\Google
2009-05-17 06:59 . 2006-10-19 00:07 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-17 06:56 . 2006-09-23 15:18 -------- d-----w c:\program files\Java
2009-05-17 01:38 . 2006-12-08 17:03 -------- d-----w c:\program files\Windows Media Connect 2
2009-05-17 01:38 . 2006-09-24 11:00 -------- d-----w c:\program files\eMule
2009-05-17 01:38 . 2006-09-23 15:18 -------- d-----w c:\program files\DivX
2009-05-16 23:46 . 2006-09-23 15:18 -------- d-----w c:\program files\Ahead
2009-05-16 21:58 . 2007-09-03 14:55 47360 ----a-w c:\documents and settings\Steven & Adam\Application Data\pcouffin.sys
2009-05-16 21:57 . 2006-09-23 15:18 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-15 08:02 . 2006-09-21 14:33 73984 ----a-w c:\documents and settings\Steven & Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 09:04 . 2009-02-06 10:53 -------- d-----w c:\program files\MSBuild
2009-05-02 10:53 . 2008-02-09 11:31 -------- d-----w c:\program files\Azureus
2009-04-03 20:59 . 2009-03-29 02:35 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-23 07:01 . 2009-03-23 07:01 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-21 04:17 . 2006-09-23 15:18 -------- d-----w c:\program files\iTunes
2009-03-21 04:16 . 2009-03-21 04:16 -------- d-----w c:\program files\iPod
2009-03-21 04:14 . 2009-03-21 04:14 -------- d-----w c:\program files\QuickTime
2009-03-08 19:19 . 2008-12-14 03:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 17:34 . 2006-02-28 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-07 17:34 . 2006-02-28 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-07 17:33 . 2006-02-28 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-07 17:33 . 2006-02-28 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-07 17:32 . 2006-02-28 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-07 17:32 . 2006-02-28 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-07 17:31 . 2006-02-28 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-07 17:31 . 2006-02-28 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-07 17:31 . 2006-02-28 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-07 17:22 . 2006-02-28 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-21 04:10 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 12:59 . 2009-03-21 04:10 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-02-20 22:25 . 2008-12-31 07:04 691592 ----a-w c:\windows\system32\OGACheckControl.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-05-17_04.18.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-28 12:00 . 2009-05-17 07:00 71982 c:\windows\system32\perfc009.dat
+ 2006-09-21 14:29 . 2009-05-17 07:53 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-09-21 14:29 . 2009-05-16 07:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-21 14:29 . 2009-05-17 07:53 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-21 14:29 . 2009-05-16 07:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-09-21 14:29 . 2009-05-17 07:53 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-09-21 14:29 . 2009-05-16 07:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-02-28 12:00 . 2009-05-17 07:00 443724 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-11 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"GBB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-17 45056]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-05-27 16208384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-28 76304]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2006-12-11 20480]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2006-12-11 19456]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Steven & Adam\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-26 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-01 18:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:Emule TCP Port

S2 gqsgq;gqsgq;c:\windows\system32\drivers\iqtmp.sys --> c:\windows\system32\drivers\iqtmp.sys [?]
S2 rfpbvm;rfpbvm;c:\windows\system32\drivers\qxsjavk.sys --> c:\windows\system32\drivers\qxsjavk.sys [?]
S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\g:\bpiksp50.sys --> g:\BPIKSp50.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 04:34]

2009-05-16 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-05-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-05-17 c:\windows\Tasks\User_Feed_Synchronization-{6A50B563-0EB9-487E-A3C7-C7F0DEE17FF7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theage.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1444)
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-17 18:59
ComboFix-quarantined-files.txt 2009-05-17 08:58
ComboFix2.txt 2009-05-17 04:21

Pre-Run: 5,760,245,760 bytes free
Post-Run: 5,835,264,000 bytes free

201 --- E O F --- 2009-05-13 08:23





Here's my latest HJT log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:38 PM, on 17/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158968232375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...327/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B7CC692-DEF0-4C9E-A11A-530DB952D56D}: NameServer = 10.0.0.138
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 9678 bytes




Once again, thank you.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 PM

Posted 17 May 2009 - 04:38 AM

there,

You're welcome. :thumbup2:

Do you happen to have the original log from ComboFix? Also, you say there are other issues.....could you tell me about them please? Your HijackThis log looks fine, but it isn't a tell all.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 psyclone

psyclone
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 May 2009 - 04:59 AM

After I ran Combofix I was uninstalling some old software and running Reg Mechanic, then my copy of Norton 360 started playing up. Although it's activated and has a few months remaining it was showing an error and said my Trial Licence had expired. I then couldn't reactivate it successfully. Have since removed it by running Malwarebyte again which found two security related issues and deleted them, then I ran ComboFix (The log for that was the one I posted in my previous reply.


Here is the orginal ComboFix log.



ComboFix 09-05-16.05 - Steven & Adam 17/05/2009 14:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.601 [GMT 10:00]
Running from: c:\documents and settings\Steven & Adam\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Steven & Adam\Application Data\inst.exe
c:\windows\system32\drivers\UACahgosqmnnstvydx.sys
c:\windows\system32\uacinit.dll
c:\windows\system32\UACiqhjwcpqfrwcpyo.dll
c:\windows\system32\UACjdlnbkmlivmolbu.dll
c:\windows\system32\UAClcrksxdslgkeflu.dat
c:\windows\system32\UACnvfwrgiijdfqxam.log
c:\windows\system32\UAConbifokkicgbjal.dll
c:\windows\system32\UACpudhbgvlmyaqlff.log
c:\windows\system32\UACqbaddkwwinejork.dll
c:\windows\system32\UACsoaelvvhfntpxfx.log
c:\windows\system32\UACwrxcstcfhwqmayq.dll

----- BITS: Possible infected sites -----

hxxp://softwaredownloadcentercom.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 03:46 . 2009-05-17 03:46 -------- d-----w c:\program files\Trend Micro
2009-05-17 00:38 . 2009-05-17 00:38 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\Malwarebytes
2009-05-17 00:26 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-17 00:26 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 00:26 . 2009-05-17 00:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-17 00:26 . 2009-05-17 00:38 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 08:12 . 2009-05-16 08:12 -------- d--h--w c:\windows\PIF
2009-05-15 21:42 . 2009-05-15 21:42 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\Windows Search
2009-05-15 21:22 . 2009-05-15 22:03 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-15 21:22 . 2009-05-15 21:22 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\Windows Desktop Search
2009-05-15 21:21 . 2009-05-15 21:21 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-15 21:21 . 2009-05-15 21:21 -------- d-----w c:\program files\Windows Desktop Search
2009-05-15 21:21 . 2009-05-15 21:21 -------- d-----w c:\windows\system32\GroupPolicy
2009-05-15 21:19 . 2008-03-07 17:02 29696 -c----w c:\windows\system32\dllcache\mimefilt.dll
2009-05-15 21:19 . 2008-03-07 17:02 98304 -c----w c:\windows\system32\dllcache\nlhtml.dll
2009-05-15 21:19 . 2008-03-07 17:02 192000 -c----w c:\windows\system32\dllcache\offfilt.dll
2009-05-14 09:05 . 2008-11-10 01:41 32656 ----a-w c:\windows\system32\msonpmon.dll
2009-05-14 09:04 . 2009-05-14 09:54 -------- d-----w c:\program files\Microsoft Works
2009-05-14 09:02 . 2009-05-14 09:02 -------- d-----w c:\program files\Microsoft.NET
2009-05-14 08:58 . 2009-05-14 08:58 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-05-14 08:55 . 2009-05-14 08:55 -------- d-----w c:\documents and settings\Steven & Adam\Local Settings\Application Data\Microsoft Help
2009-05-14 08:55 . 2009-05-14 12:24 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-14 08:54 . 2009-05-14 08:54 -------- d--h--r C:\MSOCache
2009-05-09 23:58 . 2009-05-09 23:58 3532 ----a-w C:\drmHeader.bin
2009-04-17 06:53 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 06:53 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 06:53 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 06:53 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 06:53 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 06:53 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 06:53 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 06:53 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 06:53 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 06:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 06:52 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 04:14 . 2006-09-23 15:18 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-17 01:38 . 2006-12-08 17:03 -------- d-----w c:\program files\Windows Media Connect 2
2009-05-17 01:38 . 2006-09-24 11:00 -------- d-----w c:\program files\eMule
2009-05-17 01:38 . 2006-09-23 15:18 -------- d-----w c:\program files\DivX
2009-05-16 23:49 . 2006-09-24 10:50 -------- d-----w c:\program files\Common Files\Adobe
2009-05-16 23:46 . 2006-09-23 15:18 -------- d-----w c:\program files\Ahead
2009-05-16 21:58 . 2007-09-03 14:55 47360 ----a-w c:\documents and settings\Steven & Adam\Application Data\pcouffin.sys
2009-05-16 21:57 . 2006-09-23 15:18 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-15 08:02 . 2006-09-21 14:33 73984 ----a-w c:\documents and settings\Steven & Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 09:04 . 2009-02-06 10:53 -------- d-----w c:\program files\MSBuild
2009-05-02 10:53 . 2008-02-09 11:31 -------- d-----w c:\program files\Azureus
2009-04-19 04:56 . 2006-09-23 15:18 -------- d-----w c:\program files\Java
2009-04-13 00:54 . 2008-07-15 10:52 -------- d-----w c:\program files\Norton 360
2009-04-03 20:59 . 2009-03-29 02:35 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-23 07:01 . 2009-03-23 07:01 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-21 04:17 . 2006-09-23 15:18 -------- d-----w c:\program files\iTunes
2009-03-21 04:16 . 2009-03-21 04:16 -------- d-----w c:\program files\iPod
2009-03-21 04:14 . 2009-03-21 04:14 -------- d-----w c:\program files\QuickTime
2009-03-08 19:19 . 2008-12-14 03:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 17:34 . 2006-02-28 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-07 17:34 . 2006-02-28 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-07 17:33 . 2006-02-28 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-07 17:33 . 2006-02-28 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-07 17:32 . 2006-02-28 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-07 17:32 . 2006-02-28 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-07 17:31 . 2006-02-28 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-07 17:31 . 2006-02-28 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-07 17:31 . 2006-02-28 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-07 17:22 . 2006-02-28 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-21 04:10 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 12:59 . 2009-03-21 04:10 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-02-20 22:25 . 2008-12-31 07:04 691592 ----a-w c:\windows\system32\OGACheckControl.DLL
2009-02-19 01:03 . 2009-02-19 01:03 579464 ----a-w c:\windows\system32\SymNeti.dll
2009-02-19 01:03 . 2009-02-19 01:03 207240 ----a-w c:\windows\system32\SymRedir.dll
2009-02-19 00:31 . 2009-02-19 00:31 31280 ----a-w c:\windows\system32\drivers\SymIM.sys
2009-02-19 00:31 . 2009-02-19 00:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 00:31 . 2009-02-19 00:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 00:31 . 2009-02-19 00:31 38576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 00:31 . 2009-02-19 00:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys
2009-02-19 00:31 . 2009-02-19 00:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 00:31 . 2009-02-19 00:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 00:31 . 2009-02-19 00:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-11 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"GBB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-17 45056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-05-27 16208384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-28 76304]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2006-12-11 20480]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2006-12-11 19456]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-26 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-24 805392]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-01 18:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0"
"UpdatesDisableNotify"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:Emule TCP Port

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [19/02/2008 5:37 AM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/02/2009 8:45 PM 101936]
S2 gqsgq;gqsgq;c:\windows\system32\drivers\iqtmp.sys --> c:\windows\system32\drivers\iqtmp.sys [?]
S2 rfpbvm;rfpbvm;c:\windows\system32\drivers\qxsjavk.sys --> c:\windows\system32\drivers\qxsjavk.sys [?]
S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\g:\bpiksp50.sys --> g:\BPIKSp50.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [13/01/2008 12:32 PM 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 04:34]

2009-05-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-28 00:44]

2009-05-16 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-05-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-05-16 c:\windows\Tasks\User_Feed_Synchronization-{6A50B563-0EB9-487E-A3C7-C7F0DEE17FF7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:31]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
HKLM-Run-Bluetooth Connection Assistant - LBTWIZ.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theage.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 14:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-05-17 14:21
ComboFix-quarantined-files.txt 2009-05-17 04:20

Pre-Run: 5,353,644,032 bytes free
Post-Run: 5,425,655,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

245 --- E O F --- 2009-05-13 08:23










Thanks

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 PM

Posted 17 May 2009 - 05:14 AM

Thanks. :step1:

Do yourself a favor and get rid of Reg Mechanic. Registry cleaners can mess up so many things. :) It happened to me one time even, so I'm not just saying that. :step4:

Let's get you a decent AntiVirus! :thumbup2: AVG, Avira OR Avast are good FREE antivirus.

Is that the only issue you were having? :step5:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 psyclone

psyclone
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 May 2009 - 05:32 AM

Yes, the malware removal problem was the issue. So do you think the I'm in the clear now?

I thought the following lines in the log file might have been suspect....not that I would know though.


S2 gqsgq;gqsgq;c:\windows\system32\drivers\iqtmp.sys --> c:\windows\system32\drivers\iqtmp.sys [?]
S2 rfpbvm;rfpbvm;c:\windows\system32\drivers\qxsjavk.sys --> c:\windows\system32\drivers\qxsjavk.sys [?]
S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\g:\bpiksp50.sys --> g:\BPIKSp50.sys [?]


Thanks for all your help.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 PM

Posted 17 May 2009 - 05:44 AM

Hello,


S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\g:\bpiksp50.sys --> g:\BPIKSp50.sys [?] Is legit :
http://www.threatexpert.com/files/pcasp50.sys.html

Do you use Adaptive Server IQ, or any software that does use it? If so, then this is legit too :
S2 gqsgq;gqsgq;c:\windows\system32\drivers\iqtmp.sys --> c:\windows\system32\drivers\iqtmp.sys [?]

If not, let's have it tested to be sure :

Please navigate to the following file:

c:\windows\system32\drivers\iqtmp.sys

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

For the last one, it does look to be bad and we can remove it:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\drivers\qxsjavk.sys

Driver::
qxsjavk


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 psyclone

psyclone
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 May 2009 - 07:29 AM

"Do you use Adaptive Server IQ, or any software that does use it?"
I'm not sure what the above means so don't know if I use any software like that.

I tried to find iqtmp.sys for the virustotal scan but it does not show in that folder. I did scan of complete c drive and could not find it.


Did the txt file and ComboFix, log below followed by new HJT log.

ComboFix 09-05-16.05 - Steven & Adam 17/05/2009 22:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.536 [GMT 10:00]
Running from: c:\documents and settings\Steven & Adam\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steven & Adam\Desktop\CFScript.txt

FILE ::
c:\windows\system32\drivers\qxsjavk.sys
.

((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 08:18 . 2009-05-17 08:18 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-17 07:56 . 2009-05-17 08:19 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-17 07:52 . 2009-05-17 07:59 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-17 07:52 . 2009-05-17 07:59 -------- d-----w c:\program files\NOS
2009-05-17 03:46 . 2009-05-17 03:46 -------- d-----w c:\program files\Trend Micro
2009-05-17 00:38 . 2009-05-17 00:38 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\Malwarebytes
2009-05-17 00:26 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-17 00:26 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 00:26 . 2009-05-17 00:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-17 00:26 . 2009-05-17 00:38 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 08:12 . 2009-05-16 08:12 -------- d--h--w c:\windows\PIF
2009-05-15 21:42 . 2009-05-15 21:42 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\Windows Search
2009-05-15 21:22 . 2009-05-15 22:03 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-15 21:21 . 2009-05-15 21:21 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-15 21:21 . 2009-05-17 07:10 -------- d-----w c:\program files\Windows Desktop Search
2009-05-15 21:21 . 2009-05-15 21:21 -------- d-----w c:\windows\system32\GroupPolicy
2009-05-15 21:19 . 2008-03-07 17:02 29696 -c----w c:\windows\system32\dllcache\mimefilt.dll
2009-05-15 21:19 . 2008-03-07 17:02 98304 -c----w c:\windows\system32\dllcache\nlhtml.dll
2009-05-15 21:19 . 2008-03-07 17:02 192000 -c----w c:\windows\system32\dllcache\offfilt.dll
2009-05-14 09:05 . 2008-11-10 01:41 32656 ----a-w c:\windows\system32\msonpmon.dll
2009-05-14 09:04 . 2009-05-14 09:54 -------- d-----w c:\program files\Microsoft Works
2009-05-14 09:02 . 2009-05-14 09:02 -------- d-----w c:\program files\Microsoft.NET
2009-05-14 08:58 . 2009-05-14 08:58 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-05-14 08:55 . 2009-05-14 08:55 -------- d-----w c:\documents and settings\Steven & Adam\Local Settings\Application Data\Microsoft Help
2009-05-14 08:55 . 2009-05-14 12:24 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-14 08:54 . 2009-05-14 08:54 -------- d--h--r C:\MSOCache
2009-05-09 23:58 . 2009-05-09 23:58 3532 ----a-w C:\drmHeader.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 08:33 . 2006-11-02 00:43 -------- d-----w c:\program files\Common Files\Real
2009-05-17 08:28 . 2006-09-23 15:18 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-17 07:55 . 2006-09-24 10:50 -------- d-----w c:\program files\Common Files\Adobe
2009-05-17 07:10 . 2008-06-28 03:20 -------- d-----w c:\program files\Google
2009-05-17 06:59 . 2006-10-19 00:07 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-17 06:56 . 2006-09-23 15:18 -------- d-----w c:\program files\Java
2009-05-17 01:38 . 2006-12-08 17:03 -------- d-----w c:\program files\Windows Media Connect 2
2009-05-17 01:38 . 2006-09-24 11:00 -------- d-----w c:\program files\eMule
2009-05-17 01:38 . 2006-09-23 15:18 -------- d-----w c:\program files\DivX
2009-05-16 23:46 . 2006-09-23 15:18 -------- d-----w c:\program files\Ahead
2009-05-16 21:58 . 2007-09-03 14:55 47360 ----a-w c:\documents and settings\Steven & Adam\Application Data\pcouffin.sys
2009-05-16 21:57 . 2006-09-23 15:18 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-15 08:02 . 2006-09-21 14:33 73984 ----a-w c:\documents and settings\Steven & Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 09:04 . 2009-02-06 10:53 -------- d-----w c:\program files\MSBuild
2009-05-02 10:53 . 2008-02-09 11:31 -------- d-----w c:\program files\Azureus
2009-04-03 20:59 . 2009-03-29 02:35 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-23 07:01 . 2009-03-23 07:01 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-21 04:17 . 2006-09-23 15:18 -------- d-----w c:\program files\iTunes
2009-03-21 04:16 . 2009-03-21 04:16 -------- d-----w c:\program files\iPod
2009-03-21 04:14 . 2009-03-21 04:14 -------- d-----w c:\program files\QuickTime
2009-03-08 19:19 . 2008-12-14 03:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 17:34 . 2006-02-28 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-07 17:34 . 2006-02-28 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-07 17:33 . 2006-02-28 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-07 17:33 . 2006-02-28 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-07 17:32 . 2006-02-28 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-07 17:32 . 2006-02-28 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-07 17:31 . 2006-02-28 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-07 17:31 . 2006-02-28 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-07 17:31 . 2006-02-28 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-07 17:22 . 2006-02-28 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-21 04:10 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 12:59 . 2009-03-21 04:10 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-02-20 22:25 . 2008-12-31 07:04 691592 ----a-w c:\windows\system32\OGACheckControl.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-05-17_04.18.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-28 12:00 . 2009-05-17 07:00 71982 c:\windows\system32\perfc009.dat
+ 2006-09-21 14:29 . 2009-05-17 07:53 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-09-21 14:29 . 2009-05-16 07:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-21 14:29 . 2009-05-17 07:53 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-21 14:29 . 2009-05-16 07:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-09-21 14:29 . 2009-05-17 07:53 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-09-21 14:29 . 2009-05-16 07:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-02-28 12:00 . 2009-05-17 07:00 443724 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-11 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"GBB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-17 45056]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-05-27 16208384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-28 76304]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2006-12-11 20480]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2006-12-11 19456]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Steven & Adam\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-26 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-01 18:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:*:Disabled:Emule TCP Port

S2 gqsgq;gqsgq;c:\windows\system32\drivers\iqtmp.sys --> c:\windows\system32\drivers\iqtmp.sys [?]
S2 rfpbvm;rfpbvm;c:\windows\system32\drivers\qxsjavk.sys --> c:\windows\system32\drivers\qxsjavk.sys [?]
S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\g:\bpiksp50.sys --> g:\BPIKSp50.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 04:34]

2009-05-17 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-05-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-05-17 c:\windows\Tasks\User_Feed_Synchronization-{6A50B563-0EB9-487E-A3C7-C7F0DEE17FF7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theage.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 22:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4040)
c:\program files\Logitech\SetPoint\IMHook.dll
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-17 22:20
ComboFix-quarantined-files.txt 2009-05-17 12:20
ComboFix2.txt 2009-05-17 08:59
ComboFix3.txt 2009-05-17 04:21

Pre-Run: 5,853,429,760 bytes free
Post-Run: 5,834,215,424 bytes free

206 --- E O F --- 2009-05-13 08:23



______________________________________________



HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:50 PM, on 17/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158968232375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...327/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B7CC692-DEF0-4C9E-A11A-530DB952D56D}: NameServer = 10.0.0.138
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 9581 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 PM

Posted 17 May 2009 - 07:47 AM

And the AntiVirus issue? Also, how is it running now please? :thumbup2: I still see remnants of Norton.....

Take this one to Virus Total also, since you don't know what it is :

c:\windows\system32\drivers\iqtmp.sys

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 psyclone

psyclone
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 May 2009 - 05:07 PM

I haven't reinstalled Norton yet. Am going to do that once I'm sure I have cleaned the PC.

I can't find the IQTMP.SYS file when I browse to that folder, so I'm not sure how I upload it for testing at Virus Total

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 PM

Posted 17 May 2009 - 05:19 PM

My apologies.....I assumed since you asked about them that you saw them still there. Have you done a Windows search for both of them?

Also, you never said how the computer is running. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 psyclone

psyclone
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 May 2009 - 05:43 PM

No, I just saw them in the logs and couldn't figure out what they were for. I have done a windows search for both files but I cannot find them at all. I made sure it was looking in all folders and was showing hidden files too.

Aside from cleaning up these couple of files, the pc is running as faster than it has for a long time!

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 PM

Posted 19 May 2009 - 07:57 AM

Hello,

Glad it's running well. :thumbup2:

Let's see if that last file is really there then:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\drivers\iqtmp.sys

Driver::
iqtmp


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 psyclone

psyclone
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 20 May 2009 - 03:58 AM

Ran combofix as requested, here's the log.

ComboFix 09-05-19.08 - Steven & Adam 20/05/2009 18:51.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.476 [GMT 10:00]
Running from: c:\documents and settings\Steven & Adam\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steven & Adam\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
c:\windows\system32\drivers\iqtmp.sys
.

((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-18 11:11 . 2009-05-18 11:11 -------- d-----w c:\documents and settings\Steven & Adam\Local Settings\Application Data\PCHealth
2009-05-18 08:34 . 2009-05-18 08:34 -------- d-----w c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-05-18 08:33 . 2009-05-18 08:33 -------- d-----w c:\documents and settings\Steven & Adam\Local Settings\Application Data\Downloaded Installations
2009-05-18 08:33 . 2009-05-18 08:33 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-05-18 08:33 . 2009-05-18 08:33 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-18 08:33 . 2009-05-18 08:33 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-18 08:33 . 2009-05-18 08:33 -------- d-----w c:\program files\Symantec
2009-05-18 08:32 . 2009-05-18 08:32 -------- d-----w c:\windows\system32\drivers\N360
2009-05-18 08:32 . 2009-05-18 08:32 -------- d-----w c:\program files\Norton 360
2009-05-18 08:20 . 2009-05-18 08:20 -------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-05-18 08:20 . 2009-05-18 08:34 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-05-18 08:20 . 2009-05-18 08:20 -------- d-----w c:\program files\NortonInstaller
2009-05-18 08:20 . 2009-05-18 08:31 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-17 08:18 . 2009-05-17 08:18 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-17 07:56 . 2009-05-17 08:19 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-17 07:52 . 2009-05-17 07:59 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-17 03:46 . 2009-05-17 03:46 -------- d-----w c:\program files\Trend Micro
2009-05-17 00:38 . 2009-05-17 00:38 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\Malwarebytes
2009-05-17 00:26 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-17 00:26 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 00:26 . 2009-05-17 00:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-17 00:26 . 2009-05-17 00:38 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 08:12 . 2009-05-16 08:12 -------- d--h--w c:\windows\PIF
2009-05-15 21:42 . 2009-05-15 21:42 -------- d-----w c:\documents and settings\Steven & Adam\Application Data\Windows Search
2009-05-15 21:22 . 2009-05-15 22:03 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-15 21:21 . 2009-05-15 21:21 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-15 21:21 . 2009-05-17 07:10 -------- d-----w c:\program files\Windows Desktop Search
2009-05-15 21:21 . 2009-05-15 21:21 -------- d-----w c:\windows\system32\GroupPolicy
2009-05-15 21:19 . 2008-03-07 17:02 29696 -c----w c:\windows\system32\dllcache\mimefilt.dll
2009-05-15 21:19 . 2008-03-07 17:02 98304 -c----w c:\windows\system32\dllcache\nlhtml.dll
2009-05-15 21:19 . 2008-03-07 17:02 192000 -c----w c:\windows\system32\dllcache\offfilt.dll
2009-05-14 09:05 . 2008-11-10 01:41 32656 ----a-w c:\windows\system32\msonpmon.dll
2009-05-14 09:04 . 2009-05-14 09:54 -------- d-----w c:\program files\Microsoft Works
2009-05-14 09:02 . 2009-05-14 09:02 -------- d-----w c:\program files\Microsoft.NET
2009-05-14 08:58 . 2009-05-14 08:58 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-05-14 08:55 . 2009-05-14 08:55 -------- d-----w c:\documents and settings\Steven & Adam\Local Settings\Application Data\Microsoft Help
2009-05-14 08:55 . 2009-05-18 11:11 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-14 08:54 . 2009-05-14 08:54 -------- d--h--r C:\MSOCache
2009-05-09 23:58 . 2009-05-09 23:58 3532 ----a-w C:\drmHeader.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 09:35 . 2006-09-22 12:12 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-18 09:35 . 2006-09-25 10:43 -------- d-----w c:\program files\CyberLink
2009-05-18 09:34 . 2006-09-22 12:12 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-18 08:35 . 2006-09-23 15:18 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-18 08:33 . 2009-05-18 08:33 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-18 08:33 . 2009-05-18 08:33 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-17 08:33 . 2006-11-02 00:43 -------- d-----w c:\program files\Common Files\Real
2009-05-17 07:55 . 2006-09-24 10:50 -------- d-----w c:\program files\Common Files\Adobe
2009-05-17 07:10 . 2008-06-28 03:20 -------- d-----w c:\program files\Google
2009-05-17 06:59 . 2006-10-19 00:07 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-17 06:56 . 2006-09-23 15:18 -------- d-----w c:\program files\Java
2009-05-17 01:38 . 2006-12-08 17:03 -------- d-----w c:\program files\Windows Media Connect 2
2009-05-17 01:38 . 2006-09-24 11:00 -------- d-----w c:\program files\eMule
2009-05-17 01:38 . 2006-09-23 15:18 -------- d-----w c:\program files\DivX
2009-05-16 23:46 . 2006-09-23 15:18 -------- d-----w c:\program files\Ahead
2009-05-16 21:58 . 2007-09-03 14:55 47360 ----a-w c:\documents and settings\Steven & Adam\Application Data\pcouffin.sys
2009-05-15 08:02 . 2006-09-21 14:33 73984 ----a-w c:\documents and settings\Steven & Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 09:04 . 2009-02-06 10:53 -------- d-----w c:\program files\MSBuild
2009-05-02 10:53 . 2008-02-09 11:31 -------- d-----w c:\program files\Azureus
2009-04-03 20:59 . 2009-03-29 02:35 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-23 07:01 . 2009-03-23 07:01 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-08 19:19 . 2008-12-14 03:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 17:34 . 2006-02-28 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-07 17:34 . 2006-02-28 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-07 17:33 . 2006-02-28 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-07 17:33 . 2006-02-28 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-07 17:32 . 2006-02-28 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-07 17:32 . 2006-02-28 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-07 17:31 . 2006-02-28 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-07 17:31 . 2006-02-28 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-07 17:31 . 2006-02-28 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-07 17:22 . 2006-02-28 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-21 04:10 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 12:59 . 2009-03-21 04:10 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-02-20 22:25 . 2008-12-31 07:04 691592 ----a-w c:\windows\system32\OGACheckControl.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-05-17_04.18.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 07:46 . 2009-05-20 07:46 16384 c:\windows\temp\Perflib_Perfdata_240.dat
+ 2006-02-28 12:00 . 2009-05-17 07:00 71982 c:\windows\system32\perfc009.dat
+ 2009-05-19 08:20 . 2009-05-19 08:20 15996 c:\windows\system32\Lang\TradChin.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 20305 c:\windows\system32\Lang\Thai.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 22252 c:\windows\system32\Lang\SWEDISH.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 25526 c:\windows\system32\Lang\Spanish.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 15224 c:\windows\system32\Lang\SimChin.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 24205 c:\windows\system32\Lang\Russian.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 24139 c:\windows\system32\Lang\Portuguese.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 23011 c:\windows\system32\Lang\Portuguese(Brazil).bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 22098 c:\windows\system32\Lang\Polish.bin
+ 2009-05-19 08:19 . 2009-05-19 08:20 18617 c:\windows\system32\Lang\Korean.bin
+ 2009-05-19 08:19 . 2009-05-19 08:19 22341 c:\windows\system32\Lang\Japanese.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 25297 c:\windows\system32\Lang\Italian.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 22982 c:\windows\system32\Lang\Greek.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 23724 c:\windows\system32\Lang\German.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 25175 c:\windows\system32\Lang\French.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 20335 c:\windows\system32\Lang\English.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 23657 c:\windows\system32\Lang\Dutch.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 22368 c:\windows\system32\Lang\Danish.bin
+ 2009-05-19 08:20 . 2009-05-19 08:20 19713 c:\windows\system32\Lang\Arabic.bin
+ 2004-08-03 23:08 . 2008-04-13 16:45 49408 c:\windows\system32\drivers\stream.sys
- 2004-08-03 23:08 . 2008-04-13 15:45 49408 c:\windows\system32\drivers\stream.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 39984 c:\windows\system32\drivers\N360\0300000.087\symndisv.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 37296 c:\windows\system32\drivers\N360\0300000.087\symndis.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 34736 c:\windows\system32\drivers\N360\0300000.087\symids.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 89776 c:\windows\system32\drivers\N360\0300000.087\symfw.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 43696 c:\windows\system32\drivers\N360\0300000.087\srtspx.sys
+ 2006-09-22 12:19 . 2008-04-13 16:45 60160 c:\windows\system32\drivers\drmk.sys
- 2006-09-22 12:19 . 2008-04-13 15:45 60160 c:\windows\system32\drivers\drmk.sys
+ 2004-08-03 23:08 . 2008-04-13 16:45 49408 c:\windows\system32\dllcache\stream.sys
- 2004-08-03 23:08 . 2008-04-13 15:45 49408 c:\windows\system32\dllcache\stream.sys
- 2006-09-22 12:19 . 2008-04-13 15:45 60160 c:\windows\system32\dllcache\drmk.sys
+ 2006-09-22 12:19 . 2008-04-13 16:45 60160 c:\windows\system32\dllcache\drmk.sys
+ 2006-09-21 14:29 . 2009-05-17 07:53 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-09-21 14:29 . 2009-05-16 07:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-21 14:29 . 2009-05-17 07:53 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-21 14:29 . 2009-05-16 07:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-09-21 14:29 . 2009-05-17 07:53 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-09-21 14:29 . 2009-05-16 07:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-09-22 12:19 . 2006-05-04 08:22 86016 c:\windows\SOUNDMAN.EXE
+ 2006-09-22 12:19 . 2005-09-21 00:24 86016 c:\windows\SOUNDMAN.EXE
- 2009-05-14 09:05 . 2009-05-14 10:25 35088 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 35088 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 18704 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 18704 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 20240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 20240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-11-03 17:29 . 2008-11-03 17:29 39248 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\REFEDIT.DLL
+ 2009-04-02 02:02 . 2009-04-02 02:02 17792 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\OPHPROXY.DLL
+ 2009-04-02 02:02 . 2009-04-02 02:02 15760 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\OMUOPTINPS.DLL
+ 2009-04-02 02:01 . 2009-04-02 02:01 42864 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\MSSH.DLL
+ 2008-11-10 00:50 . 2008-11-10 00:50 68472 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\MSOHTMED.EXE
+ 2008-11-10 00:50 . 2008-11-10 00:50 76664 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\MSOHEV.DLL
+ 2008-11-10 01:38 . 2008-11-10 01:38 27000 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\MSOEURO.DLL
+ 2009-04-02 02:01 . 2009-04-02 02:01 18816 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\MSMH.DLL
+ 2008-10-24 20:18 . 2008-10-24 20:18 54152 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\AUTHZAX.DLL
- 2006-09-22 12:19 . 2005-05-03 10:43 69632 c:\windows\ALCMTR.EXE
+ 2006-09-22 12:19 . 2005-05-03 08:43 69632 c:\windows\ALCMTR.EXE
+ 2009-05-18 11:10 . 2009-05-18 11:10 4096 c:\windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
+ 2006-09-22 12:19 . 2005-09-16 04:14 157184 c:\windows\system32\RTCOM\RTLCPAPI.dll
+ 2006-09-22 12:19 . 2005-09-23 08:24 249856 c:\windows\system32\RTCOM\RTCOMDLL.dll
+ 2006-02-28 12:00 . 2009-05-17 07:00 443724 c:\windows\system32\perfh009.dat
- 2008-01-29 04:02 . 2008-04-17 01:12 107368 c:\windows\system32\GEARAspi.dll
+ 2008-01-29 02:02 . 2008-01-29 02:02 107368 c:\windows\system32\GEARAspi.dll
+ 2004-03-16 02:58 . 2008-04-13 17:19 146048 c:\windows\system32\drivers\portcls.sys
- 2004-03-16 02:58 . 2008-04-13 16:19 146048 c:\windows\system32\drivers\portcls.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 217392 c:\windows\system32\drivers\N360\0300000.087\symtdi.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 310320 c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 307760 c:\windows\system32\drivers\N360\0300000.087\srtsp.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 482352 c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys
+ 2009-05-18 08:33 . 2009-05-18 08:33 258608 c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys
- 2004-08-03 23:15 . 2008-04-13 16:16 141056 c:\windows\system32\drivers\ks.sys
+ 2004-08-03 23:15 . 2008-04-13 17:16 141056 c:\windows\system32\drivers\ks.sys
- 2004-03-16 02:58 . 2008-04-13 16:19 146048 c:\windows\system32\dllcache\portcls.sys
+ 2004-03-16 02:58 . 2008-04-13 17:19 146048 c:\windows\system32\dllcache\portcls.sys
- 2004-08-03 23:15 . 2008-04-13 16:16 141056 c:\windows\system32\dllcache\ks.sys
+ 2004-08-03 23:15 . 2008-04-13 17:16 141056 c:\windows\system32\dllcache\ks.sys
+ 2006-09-22 12:19 . 2005-09-21 06:29 356352 c:\windows\RtlUpd.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 888080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 888080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 272648 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 272648 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 922384 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 922384 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 845584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 845584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 217864 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 217864 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 184080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 184080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 159504 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 159504 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-10-24 12:50 . 2008-10-24 12:50 436584 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\MSORUN.DLL
+ 2009-03-05 18:04 . 2009-03-05 18:04 427848 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\MSODCW.DLL
+ 2008-11-24 12:17 . 2008-11-24 12:17 983944 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\FPWEC.DLL
+ 2008-11-03 15:44 . 2008-11-03 15:44 435096 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\DWTRIG20.EXE
+ 2008-11-03 15:44 . 2008-11-03 15:44 439632 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\DWDCW20.DLL
+ 2009-05-18 11:10 . 2009-05-18 11:10 110592 c:\windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
+ 2006-09-22 12:19 . 2005-09-23 08:56 3966976 c:\windows\system32\drivers\RtkHDAud.sys
+ 2006-09-22 12:19 . 2005-09-21 05:23 9710592 c:\windows\RTLCPL.EXE
+ 2006-09-22 12:19 . 2005-09-07 00:40 2142208 c:\windows\MicCal.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 1172240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 1172240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-05-14 09:05 . 2009-05-14 10:25 1165584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-05-14 09:05 . 2009-05-18 11:11 1165584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-05 18:55 . 2009-03-05 18:55 7036800 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\OFFOWC.DLL
+ 2008-10-24 17:38 . 2008-10-24 17:38 1682800 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\FPSRVUTL.DLL
+ 2006-09-22 12:19 . 2005-09-21 05:32 2807808 c:\windows\ALCWZRD.EXE
+ 2006-09-22 12:19 . 2005-09-22 03:36 14854144 c:\windows\RTHDCPL.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"GBB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-17 45056]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-28 76304]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2006-12-11 20480]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2006-12-11 19456]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-09-21 2807808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-26 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-01 18:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:*:Disabled:Emule TCP Port

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [18/05/2009 6:33 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [18/05/2009 6:33 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [18/05/2009 6:33 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSXpx86.sys [20/05/2009 5:55 PM 276344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [18/05/2009 6:33 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [18/05/2009 6:35 PM 101936]
S2 gqsgq;gqsgq;c:\windows\system32\drivers\iqtmp.sys --> c:\windows\system32\drivers\iqtmp.sys [?]
S2 rfpbvm;rfpbvm;c:\windows\system32\drivers\qxsjavk.sys --> c:\windows\system32\drivers\qxsjavk.sys [?]
S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\g:\bpiksp50.sys --> g:\BPIKSp50.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 04:34]

2009-05-19 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-05-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-05-19 c:\windows\Tasks\User_Feed_Synchronization-{6A50B563-0EB9-487E-A3C7-C7F0DEE17FF7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theage.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 18:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(216)
c:\program files\Logitech\SetPoint\IMHook.dll
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\hnetcfg.dll
.
Completion time: 2009-05-20 18:55
ComboFix-quarantined-files.txt 2009-05-20 08:54
ComboFix2.txt 2009-05-17 12:21
ComboFix3.txt 2009-05-17 08:59
ComboFix4.txt 2009-05-17 04:21

Pre-Run: 5,728,509,952 bytes free
Post-Run: 5,884,534,784 bytes free

332 --- E O F --- 2009-05-13 08:23





Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users