Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several pieces of malware?


  • Please log in to reply
26 replies to this topic

#1 creighs

creighs

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:ON
  • Local time:03:36 AM

Posted 30 May 2009 - 11:21 AM

Hello!

This post concerns my HP Pavilion dv1420 laptop. (Side Note: I have two computers I'm currently trying to fix/clean [a laptop and a desktop PC], and I've decided the easiest and most logical thing to do would be deal with each computer in separate posts. I hope you find this reasonable.)

I've run Spybot S&D, Ad-Aware Anniversary Edition, Malwarebite's Anti-Malware, and my current AV - a fully functional student copy of Sophos. Every now and again one of the programs will catch some non-threatening adware - usually cookies/tracking related - so according to thet scans I seem to be major malware-free. I'm pretty sure I recently acquired an autorun virus (via usb) however. I think it probable that I also have some residual files left from previous malware that have been a bit slippery. Also kind of concerned about port activity/how to completely disable UPnp and autorun stuff.

Suspicious behaviours - what I believe to be misplaced files/folders; Spybot S&D advanced mode seems to indicate some of my startup programs/entries as being malware. Sophos identifies locked, inaccessible, corrupted, and hidden files during scans. Yesterday I tried to use F-secure's online scanner and was asked to download an add-on - which seemed normal enough/harmless considering was currently trying to run an online AV program - I'm near 100% sure it wasn't spoofware or whatever its called. Here's what Sophos noticed at this time:

C:\WINDOWS\system32\C2MP\npdivx32.dll" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.

20090527 211226 On-access scanner has denied access to location "C:\WINDOWS\system32\C2MP\npdivx32.dll" for user SARAHHPPC\Sarah Creighton

20090527 211227 Scanning "C:\DOCUME~1\SARAHC~1\LOCALS~1\Temp\AVPA2.tmp" returned SAV Interface error 0xa0040210: The file could not be accessed.

20090527 211225 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\AVPA2.tmp" belongs to virus/spyware 'Mal/EncPk-BQ'.

20090527 212331 File "C:\WINDOWS\system32\C2MP\npdivx32.dll" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.

20090527 212331 Suspicious file "C:\WINDOWS\system32\C2MP\npdivx32.dll" has been deleted.

20090527 212347 File "C:\Program Files\IObit\Advanced SystemCare 3\STFix.dll" has been identified as suspicious file of type 'Sus/Behav-113'.
Please send a sample to Sophos.

20090527 212347 Suspicious file "C:\Program Files\IObit\Advanced SystemCare 3\STFix.dll" has been deleted.


Somehow I haven't been able to find the supposed virus again - either through scanning or looking for it on my own. Concerns me. There are several other interesting errors and such that have come up, but I'll have to do a re-scan because it's been 2 days. I'm sorry I can't provide more detailed/specific information :thumbup2:

*********************************************************************************************************************************
I've included a copy of a DDS log below:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Sarah Creighton at 12:01:05.07 on 30/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.219 [GMT -4:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sarah Creighton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {aa58ed58-01dd-4d91-8333-cf10577473f7} - Google Toolbar Helper
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Logitech Utility] LOGI_MWX.EXE
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop

messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184109869907
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sarahc~1\applic~1\mozilla\firefox\profiles\r5k13uos.default\
FF - prefs.js: browser.startup.homepage -

hxxp://mail.google.com/mail/?auth=DQAAAHYAAAA7cIA-hR7CFAjImUIhK3KE56F1sT7Jzs25L-lQ8Dj_ZwaMFavtb_MEdHHkCWGPV-7o3_A-aiRpk_1ECXclXTQeIXiyL_zO3RaZCW5RKcH5YrbR0nA

wzlNe_hO13WGcB_1SpxT_mtojV2dw8U7vt53OXCngpZiw7E2zqCM6DIfpDg|https://muss.cis.mcmaster.ca/Session/311866-tGFY58BgRJ1Nc7cAe1Ae/Mailboxes.wssp|http://mcmaster.f

acebook.com/index.php?logged_out=1|http://www.ltrc.mcmaster.ca/webct/index.shtml|http://www.learnlink.mcmaster.ca/Login|http://www.science.mcmaster.ca/Psycho

logy/psych.html
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com

http://www.google.com');user_pref('...ri.enabled', 'allAccess');FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-23 64160]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-3-27 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-3-27 38528]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-29 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2009-3-27 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-3-27 172032]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-1-4 189792]
S0 ffjr;ffjr;c:\windows\system32\drivers\tbgbd.sys --> c:\windows\system32\drivers\tbgbd.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-3-27 14976]

=============== Created Last 30 ================

2009-05-27 19:46 <DIR> --d----- C:\VundoFix Backups
2009-05-27 18:50 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-25 19:17 <DIR> --d----- c:\program files\iTunes
2009-05-25 19:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-23 12:27 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-23 12:06 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-23 11:56 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-23 11:56 <DIR> --d----- c:\program files\Lavasoft
2009-05-23 10:50 <DIR> --d----- c:\program files\Trend Micro
2009-05-21 01:29 <DIR> --d----- c:\docume~1\sarahc~1\applic~1\Malwarebytes
2009-05-21 01:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 01:29 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 01:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-21 01:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-20 20:47 <DIR> --d----- c:\program files\Panda Security

==================== Find3M ====================

2009-03-27 21:58 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-03-27 21:57 23,552 a------- c:\windows\system32\sophosboottasks.exe
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-03 12:18 73,728 a------- c:\windows\system32\RtNicProp32.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2008-12-12 08:25 256 a------- c:\documents and settings\sarah creighton\pool.bin
2008-06-25 11:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008062520080626\index.dat

============= FINISH: 12:02:15.84 ===============

Thanks in advance to anyone/people who are able to help me out. Let me know what I can do to be useful. THANKS!!
S.

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:36 AM

Posted 10 June 2009 - 03:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 creighs

creighs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:ON
  • Local time:03:36 AM

Posted 12 June 2009 - 10:12 AM

No problem! Things have changed a bit on my system yes, and I'm trying to come up with a more complete report, but it might be a few days until I can post something solid (aside from the DDS output). Hopefully it will be under 2 days. I've done a ton of scans with different programs and everything seems to come back clean, however, there are odd things that I notice on my machine every so often. Nothing glaringly obvious, but there *is* something that's not quite right.

Would it be beneficial to post a DDS log right now or is it best if I get a more thorough report together and post the DDS log with that? My reasoning is that perhaps something to look over in the meantime is better than nothing? I know it's more useful to have everything, obviously, but I thought I'd throw it out there just in case. Thanks again for taking the time to help me out!!

Take care,
S.

#4 creighs

creighs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:ON
  • Local time:03:36 AM

Posted 12 June 2009 - 10:52 PM

Okay, so I managed to get this up quicker than I expected. Summary of the problem again is - there is nothing glaringly obvious (to me, at least) in terms of identifying a specific kind of malware, however, there are strange goings-on. Perhaps I have remnants of previous malware that was difficult to remove, or several things that aren't doing a ton of damage, but there *is* something off. Please excuse me if I commit any informational technology faux pas - I'm not always sure of the right terminology for things.

The general details:
- boot time seems to be normal but loading the gui (from the logon screen onward) takes a fairly long time.
- I've tried to eliminate as many startup programs as possible (safely, through the actual program, not msconfig), but it still takes forever until the computer is "usable" This long load time applies even when I am not connected to the internet/have it disabled.
- each time windows boots the security balloon pops up saying that my AV and/or my firewall is not turned on. These programs do load automatically, just not before the windows notification.

- applications in general take a very long time to load (i.e. those that I initiate after the silly machine finishes loading), and often programs will stall/show the not-responding icon in the top left corner of the window. This happens even when I'm doing very little task-switching.

- my C:/ is accessed more often than normal of late - even when there is little/no user activity. The drive has become noisier and sounds more "erratic" (?) inconsistent (?) than previously (also, the fan seems to be working harder, but that could just be my imagination).

- all scans (resident AV Sophos, several online scans such as F-secure, TM, Kaspersky; antimalware such as mbam, S&D, AdAware AE) come back clear for the most part.

Since my original post:
- I've run several of these scanners several times on full scan settings and in both safe admin mode and regular startup mode. The other actions I've taken since then are mostly me trying to backup as many files as possible (DVD/CD media). This has involved the deletion of duplicate files/folders and moving things to different folders - basically just cleaning things up. This only applies to My Documents type stuff, mostly my music files and school pdfs and docs. I try to ensure that I'm only backing up and moving files that I know are for sure my own, so I don't anticipate any kind of accidental "damage" to my system. - I've also poked around through different folders on my system, looking at what's out there (Don't worry! I don't open anything! Just the folders...that's okay isn't it!?). Spybot S&D's advanced features are mostly what I've taken a look at (just looking, no touching). Here are a few of my observations:
- I've disabled the enhanced text/audio options that is supposed to disable ctfmon.exe, however it keeps loading back into memory at each startup. I may have missed some step, or maybe not, but I know that ctfmon-type files have been associated with various malware.
- similarly, I have unchecked the msn messenger option for running at startup, yet the process for this seems to keep loading itself as well
- As I mentioned previously, there are some hidden folders that seem suspicious, and I've come across multiple files with more than one extension tacked on.
- for example: filename.exe.mui, filename.dll.mui, a file named "ntldr" (without the quotes) that does not have any extension at all, a hidden folder in C:/ called config.msi, secedit.integ.raw, several files with .sys extension, several of the hidden folders claim to be empty. This includes system volume information, in which Sophos has previously detected some infected files (although my settings for AV are on the high side)
- I found a file in system32/ named lsdelete.exe - which seems strange to me, but I could just be paranoid
- the file desktop.ini appears in a whole bunch of different folders (as a hidden file)
- I also found stubinstaller.exe, which has a limewire icon associated with it

- Spybot's processes tab indicated that HPZinw12.exe (c:/Windows/system32) is connecting/communicating with a few of my ports toward a remote ip address. It's always to the same remote port 9220, but the local port fluctuates around 1729-1745 over time. TCP: SYN_SENT is also indicated. None of the other ports were active, but several were listening (445, 135, 137, 139, 138, 123, others) - I don't know a ton about ports and which apps make use of which ones/are allowed to access them, so again I might just be paranoid.
- winlogon.exe and csrss.exe (from the running processes list in Spybot) have \??\C:\Windows/system32 as their file locations and do not have a version history or company name listed
- there are many instances of svchhost.exe running at the same time; some are listening on ports
- lastly, Spybot's startup list has this entry DWQuewedReporting (filename dwtrig20.exe -t) and has no information about it. I checked the lists on this page and it has a "?"

I've tried my best to make things clear, but I know some of what I've written is specific to applications I've made use of for investigating. I've run DDS again and the output is below. Let me know what I need to clarify or do next. Thank you!!!
*****************************************************************************************************************


DDS (Ver_09-05-14.01) - NTFSx86
Run by Sarah Creighton at 22:07:38.04 on 12/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.408 [GMT -4:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Sarah Creighton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {aa58ed58-01dd-4d91-8333-cf10577473f7} - Google Toolbar Helper
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184109869907
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sarahc~1\applic~1\mozilla\firefox\profiles\r5k13uos.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?auth=DQAAAHYAAAA7cIA-hR7CFAjImUIhK3KE56F1sT7Jzs25L-lQ8Dj_ZwaMFavtb_MEdHHkCWGPV-7o3_A-aiRpk_1ECXclXTQeIXiyL_zO3RaZCW5RKcH5YrbR0nAwzlNe_hO13WGcB_1SpxT_mtojV2dw8U7vt53OXCngpZiw7E2zqCM6DIfpDg|https://muss.cis.mcmaster.ca/Session/311866-tGFY58BgRJ1Nc7cAe1Ae/Mailboxes.wssp|http://mcmaster.facebook.com/index.php?logged_out=1|http://www.ltrc.mcmaster.ca/webct/index.shtml|http://www.learnlink.mcmaster.ca/Login|http://www.science.mcmaster.ca/Psychology/psych.html
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('...ri.enabled', 'allAccess');FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-23 64160]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-3-27 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-3-27 38528]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-29 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2009-3-27 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-3-27 172032]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-1-4 189792]
S0 ffjr;ffjr;c:\windows\system32\drivers\tbgbd.sys --> c:\windows\system32\drivers\tbgbd.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\62.tmp --> c:\windows\system32\62.tmp [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-3-27 14976]

=============== Created Last 30 ================

2009-06-10 23:17 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 23:17 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-03 21:36 <DIR> --dsh--- c:\documents and settings\sarah creighton\IECompatCache
2009-06-03 21:32 <DIR> --dsh--- c:\documents and settings\sarah creighton\PrivacIE
2009-06-01 13:25 <DIR> --d----- c:\program files\common files\Windows Live
2009-06-01 12:44 244 a---h--- C:\sqmnoopt19.sqm
2009-06-01 12:44 232 a---h--- C:\sqmdata19.sqm
2009-06-01 12:43 244 a---h--- C:\sqmnoopt18.sqm
2009-06-01 12:43 232 a---h--- C:\sqmdata18.sqm
2009-06-01 12:43 244 a---h--- C:\sqmnoopt17.sqm
2009-06-01 12:43 232 a---h--- C:\sqmdata17.sqm
2009-06-01 12:42 244 a---h--- C:\sqmnoopt16.sqm
2009-06-01 12:42 232 a---h--- C:\sqmdata16.sqm
2009-06-01 12:42 244 a---h--- C:\sqmnoopt15.sqm
2009-06-01 12:42 232 a---h--- C:\sqmdata15.sqm
2009-06-01 12:42 244 a---h--- C:\sqmnoopt14.sqm
2009-06-01 12:42 232 a---h--- C:\sqmdata14.sqm
2009-06-01 12:42 244 a---h--- C:\sqmnoopt13.sqm
2009-06-01 12:42 232 a---h--- C:\sqmdata13.sqm
2009-06-01 12:41 244 a---h--- C:\sqmnoopt12.sqm
2009-06-01 12:41 232 a---h--- C:\sqmdata12.sqm
2009-06-01 12:41 244 a---h--- C:\sqmnoopt11.sqm
2009-06-01 12:41 232 a---h--- C:\sqmdata11.sqm
2009-06-01 12:41 244 a---h--- C:\sqmnoopt10.sqm
2009-06-01 12:41 232 a---h--- C:\sqmdata10.sqm
2009-06-01 12:41 244 a---h--- C:\sqmnoopt09.sqm
2009-06-01 12:41 232 a---h--- C:\sqmdata09.sqm
2009-06-01 12:40 244 a---h--- C:\sqmnoopt08.sqm
2009-06-01 12:40 232 a---h--- C:\sqmdata08.sqm
2009-06-01 12:32 244 a---h--- C:\sqmnoopt07.sqm
2009-06-01 12:32 232 a---h--- C:\sqmdata07.sqm
2009-06-01 12:31 244 a---h--- C:\sqmnoopt06.sqm
2009-06-01 12:31 232 a---h--- C:\sqmdata06.sqm
2009-06-01 12:31 244 a---h--- C:\sqmnoopt05.sqm
2009-06-01 12:31 232 a---h--- C:\sqmdata05.sqm
2009-06-01 12:26 244 a---h--- C:\sqmnoopt04.sqm
2009-06-01 12:26 232 a---h--- C:\sqmdata04.sqm
2009-06-01 12:24 244 a---h--- C:\sqmnoopt03.sqm
2009-06-01 12:24 232 a---h--- C:\sqmdata03.sqm
2009-06-01 11:45 <DIR> --dsh--- c:\documents and settings\sarah creighton\IETldCache
2009-06-01 11:40 <DIR> --d----- c:\windows\ie8updates
2009-06-01 11:39 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-01 11:32 <DIR> -cd-h--- c:\windows\ie8
2009-05-27 19:46 <DIR> --d----- C:\VundoFix Backups
2009-05-27 18:50 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-25 19:17 <DIR> --d----- c:\program files\iTunes
2009-05-25 19:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-23 12:27 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-23 12:06 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-23 11:56 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-23 11:56 <DIR> --d----- c:\program files\Lavasoft
2009-05-23 10:50 <DIR> --d----- c:\program files\Trend Micro
2009-05-21 01:29 <DIR> --d----- c:\docume~1\sarahc~1\applic~1\Malwarebytes
2009-05-21 01:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 01:29 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 01:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-21 01:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-20 20:47 <DIR> --d----- c:\program files\Panda Security

==================== Find3M ====================

2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-27 21:58 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-03-27 21:57 23,552 a------- c:\windows\system32\sophosboottasks.exe
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2008-12-12 08:25 256 a------- c:\documents and settings\sarah creighton\pool.bin
2008-06-25 11:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062520080626\index.dat

============= FINISH: 22:08:08.21 ===============

Attached Files



#5 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:01:36 AM

Posted 14 June 2009 - 06:54 PM

Hello and welcome to BleepingComputer.

Thank you for the detailed report. I am not convinced that all of the infections have been completely removed.


Please insert all removable media (flash drives, etc.), and do the following:


We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

#6 creighs

creighs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:ON
  • Local time:03:36 AM

Posted 15 June 2009 - 12:53 PM

Hi screen317,

My computer won't allow me to save combofix.exe to my desktop. This is the message I receive:

C:\Documents and Settings\Sarah Creighton\Desktop\ComboFix.exe could not be saved, because you cannot change the contents of that folder.

Change the folder properties and try again, or try saving in a different location


Also, every time I try to downnload the file my AV gives me the following messages:

20090615 164103 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 164103 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 164103 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 164103 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 164109 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\jJptPi0L.exe.part\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 164109 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\jJptPi0L.exe.part\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 164109 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\jJptPi0L.exe.part\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 164109 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\jJptPi0L.exe.part\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 164320 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\jJptPi0L.exe.part\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 164320 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\jJptPi0L.exe.part\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 164320 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\jJptPi0L.exe.part\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 164320 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\jJptPi0L.exe.part\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 164320 On-access scanner has denied access to location "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\jJptPi0L.exe.part" for user SARAHHPPC\Sarah Creighton
20090615 170300 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170300 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 170300 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170300 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170300 On-access scanner has denied access to location "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01" for user SARAHHPPC\Sarah Creighton
20090615 170312 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170312 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 170312 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170312 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170312 On-access scanner has denied access to location "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01" for user SARAHHPPC\Sarah Creighton
20090615 170348 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170348 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 170348 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170348 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170348 On-access scanner has denied access to location "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01" for user SARAHHPPC\Sarah Creighton
20090615 170401 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170401 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 170401 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170401 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170401 On-access scanner has denied access to location "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\C2152591d01" for user SARAHHPPC\Sarah Creighton
20090615 170535 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\6hRQeq_W.exe.part\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170535 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\6hRQeq_W.exe.part\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 170535 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\6hRQeq_W.exe.part\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170535 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\6hRQeq_W.exe.part\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170535 On-access scanner has denied access to location "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\6hRQeq_W.exe.part" for user SARAHHPPC\Sarah Creighton
20090615 170536 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\6D952C06d01\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170536 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\6D952C06d01\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 170536 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\6D952C06d01\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170536 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\Cache\6D952C06d01\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170542 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\6hRQeq_W.exe.part\SfxArchiveData\32788R22FWJFW\n.com" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170542 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\6hRQeq_W.exe.part\SfxArchiveData\32788R22FWJFW\pev.exe" has been identified as suspicious file of type 'Sus/ComPack-B'.
Please send a sample to Sophos.
20090615 170542 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\6hRQeq_W.exe.part\SfxArchiveData\32788R22FWJFW\NirCmd.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).
20090615 170542 File "C:\Documents and Settings\Sarah Creighton\Local Settings\Temp\6hRQeq_W.exe.part\SfxArchiveData\32788R22FWJFW\NirCmdC.cfexe" belongs to adware/PUA 'NirCmd' (of type Other).

I tried 2 of the 3 links and both resulted in the above text. I don't currently have access to a functional printer, unfortunately. I *might* be able to install one. It's possible that I could use my phone as well but I'm not sure how well that would work. So long as I'm not actually running combofix, is it possible to paste everything I need into a word document so I can view the instructions? I know you're not supposed to touch anything on your computer while combofix is running, so should I change some of my computer settings so it doesn't go to the screensaver, hibernate, etc.? Last question: does combofix *need* access to my internet while it's installing/configuring itself, or would it be acceptable if I were to disable and re-enable it (internet cnx) myself? I'm just paranoid about the amount of time between when I turn off the AV, AS and FW and when combofix starts its thing.

I am very sorry for the delay. Thank you so much for your help screen317!

#7 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:01:36 AM

Posted 17 June 2009 - 01:21 PM

ComboFix does require Internet access to download the Recovery Console; however, we can work around that.

First, can you download ComboFix from another computer and save it to a flash drive?? If so, do so.


Please download this file and save it as it's originally named, on your flash drive next to ComboFix.


Posted Image


Now, disconnect from the Internet. Next, disable all protection programs. Insert your flash drive.


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.


-screen317

#8 creighs

creighs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:ON
  • Local time:03:36 AM

Posted 18 June 2009 - 01:58 PM

You can find the ComboFix log below. Unfortunately I'm a tool and forgot to connect my other flash media devices, so I plan to run the scan again, and then post the log results of that. A few things I've noticed: Many ComboFix files and flash_disinfector files are identified by my AV (Sophos) as showing suspiscious behaviour/files/HIPS and I'm not sure which I should authorize and which might actually be from something malicious. For example, after ComboFix rebooted my computer (which I waited almost 20min for it to do) and then finished the scan and showed the log I received a message about HIPS/regmod-16 for file C:\WINDOWS\regedit.exe, and I'm unsure if I should tell Sophos to allow it or not. I can post the Sophos logs if it would be helpful. Second thing I noticed: an IE icon was placed on my desktop and when I opened Firefox I was shown a message stating that Firefox was not set to be my current browser. That's all for now. I will post the log file for the scan with my usb drives as soon as it's done. Thanks again so much for your help.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

ComboFix 09-06-17.04 - Sarah Creighton 18/06/2009 13:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.581 [GMT -4:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\creator

.
((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-14 22:21 . 2009-06-14 22:22 -------- d-----w- c:\program files\iTunes
2009-06-14 22:04 . 2009-06-14 22:04 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 16:06 . 2009-06-13 16:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-11 03:17 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 03:17 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-04 01:36 . 2009-06-04 01:36 -------- d-sh--w- c:\documents and settings\Sarah Creighton\IECompatCache
2009-06-04 01:32 . 2009-06-04 01:32 -------- d-sh--w- c:\documents and settings\Sarah Creighton\PrivacIE
2009-06-03 02:48 . 2009-06-03 02:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-03 01:11 . 2009-06-03 01:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-01 17:51 . 2009-06-01 17:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-01 17:25 . 2009-06-01 17:25 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-01 15:45 . 2009-06-01 15:45 -------- d-sh--w- c:\documents and settings\Sarah Creighton\IETldCache
2009-06-01 15:40 . 2009-06-11 04:07 -------- d-----w- c:\windows\ie8updates
2009-06-01 15:39 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-01 15:32 . 2009-06-01 15:34 -------- dc-h--w- c:\windows\ie8
2009-05-29 20:59 . 2009-05-29 20:59 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-05-29 20:59 . 2009-05-29 20:59 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-05-29 20:59 . 2009-05-29 20:59 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-29 20:59 . 2009-05-29 20:59 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-05-29 20:59 . 2009-05-29 20:59 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-05-29 20:59 . 2009-05-29 20:59 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-05-29 20:59 . 2009-05-29 20:59 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-05-29 20:58 . 2009-05-29 20:58 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-05-29 20:58 . 2009-05-29 20:58 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-05-29 20:58 . 2009-05-29 20:58 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-05-29 20:57 . 2009-05-29 20:58 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-05-29 20:57 . 2009-05-29 20:57 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-05-29 20:57 . 2009-05-29 20:57 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-05-29 20:57 . 2009-05-29 20:57 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-05-29 20:57 . 2009-05-29 20:57 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-05-29 20:57 . 2009-05-29 20:57 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-05-29 20:57 . 2009-05-29 20:57 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-05-28 23:21 . 2009-05-28 23:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sophos
2009-05-27 23:46 . 2009-05-27 23:46 -------- d-----w- C:\VundoFix Backups
2009-05-27 22:50 . 2009-01-05 01:26 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-27 18:40 . 2009-05-27 18:40 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-25 23:17 . 2009-05-25 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-24 19:39 . 2009-05-24 19:39 -------- d-----w- c:\documents and settings\Sarah Creighton\Local Settings\Application Data\MicroVision Applications
2009-05-23 21:02 . 2009-05-23 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leadertech
2009-05-23 17:51 . 2009-05-23 17:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-23 16:27 . 2009-05-29 20:59 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-23 16:06 . 2009-05-23 16:05 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-23 16:05 . 2009-05-23 16:05 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-05-23 15:56 . 2009-05-23 15:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-23 15:56 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-23 15:56 . 2009-05-23 15:56 -------- d-----w- c:\program files\Lavasoft
2009-05-23 14:50 . 2009-05-23 14:50 -------- d-----w- c:\program files\Trend Micro
2009-05-21 05:29 . 2009-05-21 05:29 -------- d-----w- c:\documents and settings\Sarah Creighton\Application Data\Malwarebytes
2009-05-21 05:29 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 05:29 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 05:29 . 2009-05-21 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 05:29 . 2009-05-27 18:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-21 00:47 . 2009-05-28 21:50 -------- d-----w- c:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 22:21 . 2005-12-31 01:58 -------- d-----w- c:\program files\iPod
2009-06-14 22:20 . 2007-08-27 16:54 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 22:16 . 2009-01-28 00:08 -------- d-----w- c:\program files\QuickTime
2009-06-11 04:12 . 2009-03-28 00:27 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-05 14:11 . 2007-07-30 01:15 10134 ----a-r- c:\documents and settings\Sarah Creighton\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-06-02 17:10 . 2009-03-28 01:56 -------- d-----w- c:\program files\Sophos
2009-06-01 16:20 . 2006-05-09 21:56 -------- d-----w- c:\program files\MSN Messenger
2009-05-28 22:45 . 2007-08-21 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 22:04 . 2007-01-11 12:19 -------- d-----w- c:\program files\Palm
2009-05-28 21:58 . 2007-01-25 19:33 -------- d-----w- c:\program files\Common Files\DataViz
2009-05-28 21:54 . 2005-04-11 07:03 -------- d-----w- c:\program files\Easy Internet signup
2009-05-28 21:50 . 2009-02-06 01:39 -------- d-----w- c:\program files\IObit
2009-05-28 21:49 . 2006-01-05 05:09 -------- d-----w- c:\program files\LimeWire
2009-05-28 21:48 . 2009-04-14 18:04 -------- d-----w- c:\program files\Acro Software
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-23 16:38 . 2007-08-21 18:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-13 05:15 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 19:12 . 2005-12-31 10:14 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 08:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 08:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-30 12:54 . 2005-12-30 23:22 56776 ----a-w- c:\documents and settings\Sarah Creighton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 21:20 . 2009-03-28 21:20 1 ----a-w- c:\documents and settings\Sarah Creighton\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-03-28 01:58 . 2009-03-28 01:58 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2009-03-28 01:58 . 2009-03-28 01:58 38528 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2009-03-28 01:58 . 2009-03-28 02:00 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2009-03-28 01:57 . 2009-03-28 01:59 23552 ----a-w- c:\windows\system32\sophosboottasks.exe
2009-03-28 01:57 . 2009-03-28 01:57 110848 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-03-25 10:29 . 2007-06-01 18:28 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-3-27 245760]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"eabconfg.cpl"=c:\program files\HPQ\Quick Launch Buttons\EabServr.exe /Start
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [23/05/2009 12:06 PM 64160]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [27/03/2009 9:57 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [27/03/2009 9:58 PM 38528]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/05/2009 4:58 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [27/03/2009 9:57 PM 98304]
S0 ffjr;ffjr;c:\windows\system32\drivers\tbgbd.sys --> c:\windows\system32\drivers\tbgbd.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 3:06 PM 1005904]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\62.tmp --> c:\windows\system32\62.tmp [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [27/03/2009 9:58 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:57]

2009-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-16 c:\windows\Tasks\McMaster Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-03-28 01:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 13:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\62.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-392835775-2720327747-1395164233-1006\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
@SACL=
"Policy"=dword:00000000

[HKEY_USERS\S-1-5-21-392835775-2720327747-1395164233-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3252)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hp\Digital Imaging\bin\hpqste08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hp\Digital Imaging\bin\hpqnrs08.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-06-18 13:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 17:50

Pre-Run: 18,620,993,536 bytes free
Post-Run: 19,060,936,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

254 --- E O F --- 2009-06-15 16:16

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Attached Files



#9 creighs

creighs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:ON
  • Local time:03:36 AM

Posted 18 June 2009 - 04:50 PM

Here is the ComboFix log I obtained when I rescanned with the flash drives inserted. Firefox still reports it's not the default browser - I thought I'd changed it to default, but maybe I'm crazy...

ComboFix 09-06-17.04 - Sarah Creighton 18/06/2009 16:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.504 [GMT -4:00]
Running from: c:\documents and settings\Sarah Creighton\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sarah Creighton\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-18 20:49 . 2009-06-18 20:50 -------- d-----w- C:\32788R22FWJFW
2009-06-14 22:21 . 2009-06-14 22:22 -------- d-----w- c:\program files\iTunes
2009-06-14 22:04 . 2009-06-14 22:04 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 16:06 . 2009-06-13 16:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-11 03:17 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 03:17 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-04 01:36 . 2009-06-04 01:36 -------- d-sh--w- c:\documents and settings\Sarah Creighton\IECompatCache
2009-06-04 01:32 . 2009-06-04 01:32 -------- d-sh--w- c:\documents and settings\Sarah Creighton\PrivacIE
2009-06-03 02:48 . 2009-06-03 02:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-03 01:11 . 2009-06-03 01:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-01 17:51 . 2009-06-01 17:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-01 17:25 . 2009-06-01 17:25 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-01 15:45 . 2009-06-01 15:45 -------- d-sh--w- c:\documents and settings\Sarah Creighton\IETldCache
2009-06-01 15:40 . 2009-06-11 04:07 -------- d-----w- c:\windows\ie8updates
2009-06-01 15:39 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-01 15:32 . 2009-06-01 15:34 -------- dc-h--w- c:\windows\ie8
2009-05-23 16:06 . 2009-05-23 16:05 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-23 16:05 . 2009-05-23 16:05 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-05-23 15:56 . 2009-05-23 15:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-23 15:56 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-23 15:56 . 2009-05-23 15:56 -------- d-----w- c:\program files\Lavasoft
2009-05-23 14:50 . 2009-05-23 14:50 -------- d-----w- c:\program files\Trend Micro
2009-05-21 05:29 . 2009-05-21 05:29 -------- d-----w- c:\documents and settings\Sarah Creighton\Application Data\Malwarebytes
2009-05-21 05:29 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 05:29 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 05:29 . 2009-05-21 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 05:29 . 2009-06-18 20:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-21 00:47 . 2009-05-28 21:50 -------- d-----w- c:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 20:25 . 2009-05-27 18:40 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-14 22:21 . 2005-12-31 01:58 -------- d-----w- c:\program files\iPod
2009-06-14 22:20 . 2007-08-27 16:54 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 22:16 . 2009-01-28 00:08 -------- d-----w- c:\program files\QuickTime
2009-06-11 04:12 . 2009-03-28 00:27 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-05 14:11 . 2007-07-30 01:15 10134 ----a-r- c:\documents and settings\Sarah Creighton\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-06-02 17:10 . 2009-03-28 01:56 -------- d-----w- c:\program files\Sophos
2009-06-01 16:20 . 2006-05-09 21:56 -------- d-----w- c:\program files\MSN Messenger
2009-05-29 20:59 . 2009-05-29 20:59 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-29 20:59 . 2009-05-23 16:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-29 20:59 . 2009-05-29 20:59 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-05-29 20:58 . 2009-05-29 20:58 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-05-29 20:58 . 2009-05-29 20:58 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-05-28 22:45 . 2007-08-21 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 22:04 . 2007-01-11 12:19 -------- d-----w- c:\program files\Palm
2009-05-28 21:58 . 2007-01-25 19:33 -------- d-----w- c:\program files\Common Files\DataViz
2009-05-28 21:54 . 2005-04-11 07:03 -------- d-----w- c:\program files\Easy Internet signup
2009-05-28 21:50 . 2009-02-06 01:39 -------- d-----w- c:\program files\IObit
2009-05-28 21:49 . 2006-01-05 05:09 -------- d-----w- c:\program files\LimeWire
2009-05-28 21:48 . 2009-04-14 18:04 -------- d-----w- c:\program files\Acro Software
2009-05-25 23:18 . 2009-05-25 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-23 21:02 . 2009-05-23 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leadertech
2009-05-23 17:51 . 2009-05-23 17:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-23 16:38 . 2007-08-21 18:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-13 05:15 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 19:12 . 2005-12-31 10:14 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 08:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 08:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-30 12:54 . 2005-12-30 23:22 56776 ----a-w- c:\documents and settings\Sarah Creighton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 21:20 . 2009-03-28 21:20 1 ----a-w- c:\documents and settings\Sarah Creighton\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-03-28 01:58 . 2009-03-28 01:58 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2009-03-28 01:58 . 2009-03-28 01:58 38528 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2009-03-28 01:58 . 2009-03-28 02:00 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2009-03-28 01:57 . 2009-03-28 01:59 23552 ----a-w- c:\windows\system32\sophosboottasks.exe
2009-03-28 01:57 . 2009-03-28 01:57 110848 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-03-25 10:29 . 2007-06-01 18:28 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-18_17.42.35 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-3-27 245760]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"eabconfg.cpl"=c:\program files\HPQ\Quick Launch Buttons\EabServr.exe /Start
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [23/05/2009 12:06 PM 64160]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [27/03/2009 9:57 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [27/03/2009 9:58 PM 38528]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/05/2009 4:58 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [27/03/2009 9:57 PM 98304]
S0 ffjr;ffjr;c:\windows\system32\drivers\tbgbd.sys --> c:\windows\system32\drivers\tbgbd.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 3:06 PM 1003344]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\62.tmp --> c:\windows\system32\62.tmp [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [27/03/2009 9:58 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:23]

2009-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-16 c:\windows\Tasks\McMaster Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-03-28 01:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 17:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\62.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-392835775-2720327747-1395164233-1006\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
@SACL=
"Policy"=dword:00000000

[HKEY_USERS\S-1-5-21-392835775-2720327747-1395164233-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-18 17:12
ComboFix-quarantined-files.txt 2009-06-18 21:12
ComboFix2.txt 2009-06-18 17:50

Pre-Run: 18,852,085,760 bytes free
Post-Run: 18,829,254,656 bytes free

212 --- E O F --- 2009-06-18 18:30

Attached Files



#10 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:01:36 AM

Posted 20 June 2009 - 04:47 PM

Hello,

Did you pay for Ad-Aware? If not, I recommend uninstalling it. MBAM is doing the same thing, except... better.


You can find the ComboFix log below. Unfortunately I'm a tool and forgot to connect my other flash media devices, so I plan to run the scan again, and then post the log results of that.

Thanks for letting me know.

A few things I've noticed: Many ComboFix files and flash_disinfector files are identified by my AV (Sophos) as showing suspiscious behaviour/files/HIPS and I'm not sure which I should authorize and which might actually be from something malicious. For example, after ComboFix rebooted my computer (which I waited almost 20min for it to do) and then finished the scan and showed the log I received a message about HIPS/regmod-16 for file C:\WINDOWS\regedit.exe, and I'm unsure if I should tell Sophos to allow it or not.

Because of the way ComboFix uses command line tools to fight malware, some antivirus' heuristic detection will report it as a threat. Please allow everything during ComboFix's run this time.

I can post the Sophos logs if it would be helpful.

If you could run a full scan with Sophos and post its log, that will be great (do it after running ComboFix).

Second thing I noticed: an IE icon was placed on my desktop and when I opened Firefox I was shown a message stating that Firefox was not set to be my current browser. That's all for now. I will post the log file for the scan with my usb drives as soon as it's done. Thanks again so much for your help.

That was ComboFix's doing; it restores some default settings (such as those you mentioned), and you may need to change these settings as you see fit.


I await the ComboFix log.

-screen317

#11 creighs

creighs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:ON
  • Local time:03:36 AM

Posted 21 June 2009 - 02:40 AM

Hi screen317!

The second combofix log (see post #9) was run with all devices attached. Post #8 is the combofix log that was initially run, with no devices attached/scanned. My apologies, I could have made that clearer! Unfortunately, I won't be able to run any scans until I get back into town late Sunday, so I anticipate the CF results will be posted by Monday noon at the latest. S/AV should be posted no later than 5pm of the same day. The following is what I plan to do as soon as I get back. Please let me know if I should do anything differently.

Okay, so I will uninstall Ad-Aware, reboot to normal user mode, then I will run combofix a third time (with flash media attached) and post the log output here. Then I'll run a full scan with Sophos immediately after that (including the flash media). Or would you suggest I reboot my machine once I've run CF and before I run the full S/AV scan? The log for this will probably be long-ish, as I've set up Sophos to produce a more thorough report than the default. I'll post the log in a separate post. Would you like me to attach a copy as well?

Once again, thank you so very much for your time and assistance! Enjoy the rest of your weekend! :thumbup2:
S

#12 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:01:36 AM

Posted 21 June 2009 - 01:56 PM

My mistake... I didn't see the more recent log.

Give me a little time to write up some instructions; we're going to run ComboFix a little differently this time.

-screen317

#13 creighs

creighs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:ON
  • Local time:03:36 AM

Posted 21 June 2009 - 05:53 PM

Sounds good! Thanks! :thumbup2:

Would you like me to do anything in the meantime? Standard Uninstall of Ad-aware and run the S/AV scan perhaps?

S.

#14 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:01:36 AM

Posted 21 June 2009 - 07:34 PM

Go ahead and uninstall Ad-Aware now; hold off on the Sophos scan until after we run ComboFix.


Now, disable all protection programs.


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

Driver::
MEMSWEEP2
ffjr
KILLALL::
File::
c:\windows\system32\62.tmp
c:\windows\system32\drivers\tbgbd.sys


Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


-screen317

#15 creighs

creighs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:ON
  • Local time:03:36 AM

Posted 22 June 2009 - 12:36 AM

Uninstalled Ad-Aware, disconnected from the internet, disabled protection, ran CF with the script, reboot, ran HJT.....but without the flash drives inserted/connected :)
CF & HJT logs are below. Please let me know if I should rerun CF again with inserted flash media. *Sigh* I am so very sorry :thumbup2:

-----------------------------------------------------C--O--M--B--O--F--I--X----L--O--G--------------------------------------

ComboFix 09-06-17.04 - Sarah Creighton 22/06/2009 0:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.526 [GMT -4:00]
Running from: c:\documents and settings\Sarah Creighton\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sarah Creighton\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
* Created a new restore point

FILE ::
"c:\windows\system32\62.tmp"
"c:\windows\system32\drivers\tbgbd.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_ffjr
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.

2009-06-19 11:35 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Sarah Creighton\Application Data\Mozilla\Firefox\Profiles\r5k13uos.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-14 22:21 . 2009-06-14 22:22 -------- d-----w- c:\program files\iTunes
2009-06-14 22:04 . 2009-06-14 22:04 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 16:06 . 2009-06-13 16:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-11 03:17 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 03:17 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-04 01:36 . 2009-06-04 01:36 -------- d-sh--w- c:\documents and settings\Sarah Creighton\IECompatCache
2009-06-04 01:32 . 2009-06-04 01:32 -------- d-sh--w- c:\documents and settings\Sarah Creighton\PrivacIE
2009-06-03 02:48 . 2009-06-03 02:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-03 01:11 . 2009-06-03 01:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-01 17:51 . 2009-06-01 17:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-01 17:25 . 2009-06-01 17:25 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-01 15:45 . 2009-06-01 15:45 -------- d-sh--w- c:\documents and settings\Sarah Creighton\IETldCache
2009-06-01 15:40 . 2009-06-11 04:07 -------- d-----w- c:\windows\ie8updates
2009-06-01 15:39 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-01 15:32 . 2009-06-01 15:34 -------- dc-h--w- c:\windows\ie8
2009-05-28 23:21 . 2009-05-28 23:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sophos
2009-05-27 23:46 . 2009-05-27 23:46 -------- d-----w- C:\VundoFix Backups
2009-05-27 22:50 . 2009-01-05 01:26 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-27 18:40 . 2009-06-18 20:25 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-25 23:17 . 2009-05-25 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-24 19:39 . 2009-05-24 19:39 -------- d-----w- c:\documents and settings\Sarah Creighton\Local Settings\Application Data\MicroVision Applications
2009-05-23 21:02 . 2009-05-23 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leadertech
2009-05-23 17:51 . 2009-05-23 17:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-23 15:56 . 2009-06-22 04:12 -------- d-----w- c:\program files\Lavasoft
2009-05-23 14:50 . 2009-05-23 14:50 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 20:26 . 2009-05-21 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:27 . 2009-05-21 05:29 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-05-21 05:29 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 22:21 . 2005-12-31 01:58 -------- d-----w- c:\program files\iPod
2009-06-14 22:20 . 2007-08-27 16:54 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 22:16 . 2009-01-28 00:08 -------- d-----w- c:\program files\QuickTime
2009-06-11 04:12 . 2009-03-28 00:27 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-05 14:11 . 2007-07-30 01:15 10134 ----a-r- c:\documents and settings\Sarah Creighton\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-06-02 17:10 . 2009-03-28 01:56 -------- d-----w- c:\program files\Sophos
2009-06-01 16:20 . 2006-05-09 21:56 -------- d-----w- c:\program files\MSN Messenger
2009-05-28 22:45 . 2007-08-21 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 22:04 . 2007-01-11 12:19 -------- d-----w- c:\program files\Palm
2009-05-28 21:58 . 2007-01-25 19:33 -------- d-----w- c:\program files\Common Files\DataViz
2009-05-28 21:54 . 2005-04-11 07:03 -------- d-----w- c:\program files\Easy Internet signup
2009-05-28 21:50 . 2009-02-06 01:39 -------- d-----w- c:\program files\IObit
2009-05-28 21:50 . 2009-05-21 00:47 -------- d-----w- c:\program files\Panda Security
2009-05-28 21:49 . 2006-01-05 05:09 -------- d-----w- c:\program files\LimeWire
2009-05-28 21:48 . 2009-04-14 18:04 -------- d-----w- c:\program files\Acro Software
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-23 16:38 . 2007-08-21 18:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-21 05:29 . 2009-05-21 05:29 -------- d-----w- c:\documents and settings\Sarah Creighton\Application Data\Malwarebytes
2009-05-21 05:29 . 2009-05-21 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-13 05:15 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 19:12 . 2005-12-31 10:14 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 08:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 08:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-30 12:54 . 2005-12-30 23:22 56776 ----a-w- c:\documents and settings\Sarah Creighton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 21:20 . 2009-03-28 21:20 1 ----a-w- c:\documents and settings\Sarah Creighton\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-03-28 01:58 . 2009-03-28 01:58 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2009-03-28 01:58 . 2009-03-28 01:58 38528 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2009-03-28 01:58 . 2009-03-28 02:00 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2009-03-28 01:57 . 2009-03-28 01:59 23552 ----a-w- c:\windows\system32\sophosboottasks.exe
2009-03-28 01:57 . 2009-03-28 01:57 110848 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-03-25 10:29 . 2007-06-01 18:28 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-18_17.42.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-22 04:49 . 2007-06-20 07:59 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-06-18 17:38 . 2007-06-20 07:59 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-06-18 17:38 . 2007-06-20 07:59 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-06-22 04:49 . 2007-06-20 07:59 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-06-22 04:49 . 2007-06-20 07:59 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-06-18 17:38 . 2007-06-20 07:59 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-06-18 17:38 . 2008-04-14 08:21 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-06-22 04:49 . 2008-04-14 08:21 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-06-22 04:49 . 2007-06-20 07:59 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
- 2009-06-18 17:38 . 2007-06-20 07:59 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
- 2009-06-18 17:38 . 2007-06-20 07:59 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-06-22 04:49 . 2007-06-20 07:59 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
- 2009-06-18 17:38 . 2009-03-28 01:59 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
+ 2009-06-22 04:49 . 2009-03-28 01:59 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
- 2009-06-18 17:38 . 2009-03-28 01:59 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-06-22 04:49 . 2009-03-28 01:59 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-06-22 04:49 . 2007-02-05 18:30 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-06-18 17:38 . 2007-02-05 18:30 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-06-22 04:49 . 2007-02-05 18:30 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
- 2009-06-18 17:38 . 2007-02-05 18:30 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-06-22 04:49 . 2007-06-20 07:59 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-06-18 17:38 . 2007-06-20 07:59 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-06-22 04:49 . 2009-03-28 01:59 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
- 2009-06-18 17:38 . 2009-03-28 01:59 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-06-22 04:49 . 2009-03-28 01:59 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-06-18 17:38 . 2009-03-28 01:59 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-06-18 17:38 . 2009-03-28 01:59 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-06-22 04:49 . 2009-03-28 01:59 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-06-22 04:49 . 2009-03-28 01:59 659456 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
- 2009-06-18 17:38 . 2009-03-28 01:59 659456 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-3-27 245760]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"eabconfg.cpl"=c:\program files\HPQ\Quick Launch Buttons\EabServr.exe /Start
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [27/03/2009 9:57 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [27/03/2009 9:58 PM 38528]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/05/2009 4:58 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [27/03/2009 9:57 PM 98304]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [27/03/2009 9:58 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-20 c:\windows\Tasks\McMaster Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-03-28 01:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-22 00:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?7?7?4??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-392835775-2720327747-1395164233-1006\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
@SACL=
"Policy"=dword:00000000

[HKEY_USERS\S-1-5-21-392835775-2720327747-1395164233-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(248)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hp\Digital Imaging\bin\hpqste08.exe
c:\program files\Hp\Digital Imaging\bin\hpqnrs08.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\HPZinw12.exe
c:\windows\system32\dwwin.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-06-22 1:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-22 05:00
ComboFix2.txt 2009-06-18 21:12
ComboFix3.txt 2009-06-18 17:50

Pre-Run: 11,400,527,872 bytes free
Post-Run: 11,398,774,784 bytes free

260 --- E O F --- 2009-06-18 18:30

-----------------------------------------------------------H------J------T-------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:01 AM, on 22/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184109869907
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 9429 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users