Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log contains twex.exe, winlognn.exe


  • Please log in to reply
5 replies to this topic

#1 dolph

dolph

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 27 August 2009 - 09:20 AM

BleepingComputer,

My bleeping office computer has been giving me trouble for months. I've been keeping it at bay by using HijackThis to eliminate bizarre startup entries and by using MalwareBytes Anti-Malware to remove malware files every other time I restart the computer, but finally I feel like I have some time to resolve it on my own, with your assistance (sadly, they canned our IT professional). I have run ComboFix in the past on the advice of someone else in the office who has used BleepingComputer, and it did not remove my problem. Anyway, here is the most recent HJT log, so we can start at the beginning:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:50 AM, on 8/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sepialine\Argos Print Monitor\SepialineBDMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sepialine\Argos Print Monitor\SepialineDesktopClient.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: C:\WINDOWS\system32\mksno4kgfd4d.dll - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\mksno4kgfd4d.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [j6uh1ykiydc7supm7xbocxpci3ezsx] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\h02vddvfko.exe
O4 - HKCU\..\Run: [zcofald670wrw7zz3xl] C:\WINDOWS\TEMP\at2lhcj86.exe
O4 - HKCU\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [ymw1ukugladk6a9edg0hn5mabk1dg74f6q6gsvldu] C:\WINDOWS\TEMP\mprjqnds.exe
O4 - HKCU\..\Run: [lgepycum0bevr3695vzzn68g599tx5pj8s7qiuwku] C:\WINDOWS\TEMP\bamy74.exe
O4 - HKCU\..\Run: [qul128owywpmats8l4pxjbk7dhbiau3ihukybeimogq00pyic] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\kbw8x7yxahx6.exe
O4 - HKCU\..\Run: [lvj1x2hi03] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\ur8bs3bc.exe
O4 - HKCU\..\Run: [kl2kdb7vkf5jzqdg7] C:\WINDOWS\TEMP\baqfw3.exe
O4 - HKCU\..\Run: [ghlqb8nawxj4v1q4xrl] C:\WINDOWS\TEMP\ldqtuo3.exe
O4 - HKCU\..\Run: [s8d06mj5nfv] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\fivj76gxhn.exe
O4 - HKCU\..\Run: [jcykhssi6wjq3pqj64y5d3zqzv48qp3knm] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\sqpy5aq4yys.exe
O4 - HKCU\..\Run: [rusv837kd1qcmtk7nacrtvvf8bt87twld2njnnz1ss5] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\u50asmlz9tk.exe
O4 - HKCU\..\Run: [tyc6ve87l8q2vrhqv3wxxva0961rpaoz6u03nq53c1b] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\dm17kbl2nb.exe
O4 - HKCU\..\Run: [hgohunn2s073ulxvwe0g1s] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\zf7gsn5ygq4.exe
O4 - HKCU\..\Run: [prriooj31] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\kudnsr1.exe
O4 - HKCU\..\Run: [hg8qt5dun3qvdn0wczjo1cdg6kakbnlw4h5y0m2by5mhll] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\k238nik540.exe
O4 - HKCU\..\Run: [tkvmd3efbc5v8] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\zeez6nikkte3d.exe
O4 - HKCU\..\Run: [tjkiaqo7kf2mrt6c61rssdesrz] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\dhp74t9zu5443.exe
O4 - HKCU\..\Run: [oilhzbd3hpbm64bti0gzp5p3090aj0g1f14ti3n9jpz1r943] C:\WINDOWS\TEMP\yrh01q7y5ppb.exe
O4 - HKCU\..\Run: [h3drp3uos1zj0aso] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\mvj1015vx.exe
O4 - HKCU\..\Run: [qwcm6rb6n2o74y2ay8x566i3smqowzxb] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\c9iq3hw7l.exe
O4 - HKCU\..\Run: [gx51rf8ihvi06zkeb1u0zj9ljl7vy] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\i2iyqp.exe
O4 - HKCU\..\Run: [jbvyztgkfisccezt70kunk9] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\btjiur32.exe
O4 - HKCU\..\Run: [vot9t81hkd281tvlk] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\odqnwj882odr.exe
O4 - HKCU\..\Run: [jjc4im6mn88in] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\rokqq2nvqtq.exe
O4 - HKCU\..\Run: [mxvikaat3l03hbcjhsp] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\lqd64nbb4h.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = archdem.local
O17 - HKLM\Software\..\Telephony: DomainName = archdem.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = archdem.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = archdem.local
O22 - SharedTaskScheduler: har78w3uhewf8yurhefd - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\mksno4kgfd4d.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Argos Billing Dialog - Sepialine, Inc. - C:\Program Files\Sepialine\Argos Print Monitor\SepialineBDMonitor.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9861b45c685b2) (gupdate1c9861b45c685b2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 9218 bytes

9
Now here is a MBAM log, with the program fully updated and configured for a quick scan. It returned 9 malware results, I selected all of them and had them removed, then restarted the computer per MBAMs instructions:

Malwarebytes' Anti-Malware 1.40
Database version: 2706
Windows 5.1.2600 Service Pack 3

8/27/2009 9:13:36 AM
mbam-log-2009-08-27 (09-13-36).txt

Scan type: Quick Scan
Objects scanned: 130532
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Now, if I had additionally removed the suspect entries from my startup programs using HijackThis, my computer would be clean for one restart, and then they would return the next time. I have run ComboFix in the past to no results, even with it fully updated. I can post a log from Tuesday's run at Combofix if you need it.

Thank you for your time and consideration of this problem that you've probably seen hundreds of times by now,

dolph

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:15 PM

Posted 28 August 2009 - 04:56 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 dolph

dolph
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 31 August 2009 - 09:10 AM

Thanks Sam! Sorry for the late reply, since this is an office computer, my responses may be slower than most, and with none over the weekend.

I must note that I have already taken my usual step of removing the suspect HJT entries from the startup list and have quarantined the suspicious files that MBAM found:


HijackThis entries that were removed before this current startup:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: C:\WINDOWS\system32\mksno4kgfd4d.dll - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\mksno4kgfd4d.dll (file missing)
O4 - HKLM\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [j6uh1ykiydc7supm7xbocxpci3ezsx] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\h02vddvfko.exe
O4 - HKCU\..\Run: [zcofald670wrw7zz3xl] C:\WINDOWS\TEMP\at2lhcj86.exe
O4 - HKCU\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [ymw1ukugladk6a9edg0hn5mabk1dg74f6q6gsvldu] C:\WINDOWS\TEMP\mprjqnds.exe
O4 - HKCU\..\Run: [lgepycum0bevr3695vzzn68g599tx5pj8s7qiuwku] C:\WINDOWS\TEMP\bamy74.exe
O4 - HKCU\..\Run: [qul128owywpmats8l4pxjbk7dhbiau3ihukybeimogq00pyic] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\kbw8x7yxahx6.exe
O4 - HKCU\..\Run: [lvj1x2hi03] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\ur8bs3bc.exe
O4 - HKCU\..\Run: [kl2kdb7vkf5jzqdg7] C:\WINDOWS\TEMP\baqfw3.exe
O4 - HKCU\..\Run: [ghlqb8nawxj4v1q4xrl] C:\WINDOWS\TEMP\ldqtuo3.exe
O4 - HKCU\..\Run: [s8d06mj5nfv] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\fivj76gxhn.exe
O4 - HKCU\..\Run: [jcykhssi6wjq3pqj64y5d3zqzv48qp3knm] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\sqpy5aq4yys.exe
O4 - HKCU\..\Run: [rusv837kd1qcmtk7nacrtvvf8bt87twld2njnnz1ss5] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\u50asmlz9tk.exe
O4 - HKCU\..\Run: [tyc6ve87l8q2vrhqv3wxxva0961rpaoz6u03nq53c1b] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\dm17kbl2nb.exe
O4 - HKCU\..\Run: [hgohunn2s073ulxvwe0g1s] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\zf7gsn5ygq4.exe
O4 - HKCU\..\Run: [prriooj31] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\kudnsr1.exe
O4 - HKCU\..\Run: [hg8qt5dun3qvdn0wczjo1cdg6kakbnlw4h5y0m2by5mhll] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\k238nik540.exe
O4 - HKCU\..\Run: [tkvmd3efbc5v8] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\zeez6nikkte3d.exe
O4 - HKCU\..\Run: [tjkiaqo7kf2mrt6c61rssdesrz] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\dhp74t9zu5443.exe
O4 - HKCU\..\Run: [oilhzbd3hpbm64bti0gzp5p3090aj0g1f14ti3n9jpz1r943] C:\WINDOWS\TEMP\yrh01q7y5ppb.exe
O4 - HKCU\..\Run: [h3drp3uos1zj0aso] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\mvj1015vx.exe
O4 - HKCU\..\Run: [qwcm6rb6n2o74y2ay8x566i3smqowzxb] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\c9iq3hw7l.exe
O4 - HKCU\..\Run: [gx51rf8ihvi06zkeb1u0zj9ljl7vy] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\i2iyqp.exe
O4 - HKCU\..\Run: [jbvyztgkfisccezt70kunk9] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\btjiur32.exe
O4 - HKCU\..\Run: [vot9t81hkd281tvlk] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\odqnwj882odr.exe
O4 - HKCU\..\Run: [jjc4im6mn88in] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\rokqq2nvqtq.exe
O4 - HKCU\..\Run: [mxvikaat3l03hbcjhsp] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\lqd64nbb4h.exe
O22 - SharedTaskScheduler: har78w3uhewf8yurhefd - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\mksno4kgfd4d.dll (file missing)


-

The OTL log is posted here:

OTL logfile created on: 8/31/2009 8:48:20 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Kevin.ARCHDEM\My Documents\installer files
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 9600 9600 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 392.19 Gb Free Space | 84.21% Space Free | Partition Type: NTFS
Drive D: | 7.62 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 1862.64 Gb Total Space | 1272.55 Gb Free Space | 68.32% Space Free | Partition Type: NTFS
Drive Q: | 1862.64 Gb Total Space | 1272.55 Gb Free Space | 68.32% Space Free | Partition Type: NTFS
Drive R: | 1862.64 Gb Total Space | 1272.55 Gb Free Space | 68.32% Space Free | Partition Type: NTFS

Computer Name: USER-D75B93B10D
Current User Name: Kevin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/04/04 19:55:36 | 02,475,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2008/02/01 02:25:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/11/11 11:49:56 | 00,114,688 | ---- | M] (Sepialine, Inc.) -- C:\Program Files\Sepialine\Argos Print Monitor\SepialineBDMonitor.exe
PRC - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/12/07 00:28:44 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/10/07 14:33:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2007/09/26 03:33:47 | 00,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\System32\STacSV.exe
PRC - [2008/04/04 20:01:20 | 02,234,296 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/01/26 10:27:38 | 00,245,760 | ---- | M] (Sepialine, Inc.) -- C:\Program Files\Sepialine\Argos Print Monitor\SepialineDesktopClient.exe
PRC - [2008/04/04 19:55:38 | 01,660,288 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2008/02/01 02:25:38 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2007/07/04 14:01:36 | 00,148,776 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2007/07/04 14:01:56 | 00,910,632 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2007/07/04 14:01:52 | 00,267,560 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
PRC - [2009/05/20 11:06:41 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/04 19:55:34 | 00,349,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
PRC - [2007/08/11 20:05:27 | 01,418,608 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\luall.exe
PRC - [2007/08/11 20:05:27 | 03,093,872 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE
PRC - [2007/08/11 20:05:27 | 00,484,720 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
PRC - [2007/08/11 20:05:27 | 00,484,720 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
PRC - [2009/08/31 08:45:30 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\installer files\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/06/02 17:47:09 | 00,068,096 | ---- | M] () -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2008/11/11 11:49:56 | 00,114,688 | ---- | M] (Sepialine, Inc.) -- C:\Program Files\Sepialine\Argos Print Monitor\SepialineBDMonitor.exe -- (Argos Billing Dialog [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/05/19 09:12:55 | 00,079,360 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
SRV - [2008/02/10 02:31:02 | 01,326,232 | ---- | M] (Autodesk, Inc.) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe -- (Autodesk Network Licensing Service [On_Demand | Stopped])
SRV - [2008/02/01 02:25:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [Auto | Running])
SRV - [2008/02/01 02:25:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/04/21 09:06:19 | 00,651,720 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/02/03 11:19:58 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9861b45c685b2 [Auto | Stopped])
SRV - [2009/03/24 10:04:28 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/12/07 00:28:44 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2007/08/11 20:05:27 | 03,093,872 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate [On_Demand | Running])
SRV - [2007/07/04 13:59:24 | 00,779,560 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/07/04 14:01:52 | 00,267,560 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Running])
SRV - [2008/10/07 14:33:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/05/11 19:15:50 | 00,052,736 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\hpzipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2008/04/04 19:55:36 | 02,475,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService [Auto | Running])
SRV - [2008/04/04 03:45:18 | 00,288,136 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC [On_Demand | Stopped])
SRV - [2007/09/26 03:33:47 | 00,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\System32\STacSV.exe -- (STacSV [Auto | Running])
SRV - [2008/04/04 20:01:20 | 02,234,296 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [Disabled | Stopped])
SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [Disabled | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Disabled | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2005/07/20 18:08:26 | 00,327,808 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\WINDOWS\System32\DRIVERS\akshasp.sys -- (akshasp [On_Demand | Running])
DRV - [2005/07/20 18:08:28 | 00,100,096 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\WINDOWS\System32\DRIVERS\aksusb.sys -- (aksusb [On_Demand | Running])
DRV - [2008/07/30 18:42:12 | 00,023,888 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\COH_Mon.sys -- (COH_Mon [On_Demand | Stopped])
DRV - [2007/09/26 03:35:38 | 00,254,872 | R--- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e1e5132.sys -- (e1express [On_Demand | Running])
DRV - [2009/08/27 03:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/08/27 03:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2005/07/28 08:18:40 | 00,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\WINDOWS\System32\drivers\hardlock.sys -- (Hardlock [Auto | Running])
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/03/13 13:05:30 | 00,044,672 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\HECI.sys -- (HECI [On_Demand | Stopped])
DRV - [2009/08/25 03:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090827.053\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/08/25 03:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090827.053\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2008/10/07 14:33:00 | 06,133,856 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2006/02/28 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/09/26 03:33:45 | 00,054,272 | ---- | M] (Sonic Focus, Inc) -- C:\WINDOWS\System32\drivers\sfng32.sys -- (sfng32 [On_Demand | Running])
DRV - [2008/01/17 19:24:44 | 00,420,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [System | Running])
DRV - [2008/03/21 20:14:24 | 00,279,088 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSP.SYS -- (SRTSP [System | Running])
DRV - [2008/03/21 20:14:24 | 00,317,616 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPL.SYS -- (SRTSPL [On_Demand | Stopped])
DRV - [2008/03/21 20:14:24 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2007/09/26 03:33:48 | 01,184,168 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\System32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
DRV - [2009/02/23 21:27:36 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2007/10/30 21:55:34 | 00,027,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2007/10/30 21:55:38 | 00,191,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2008/04/04 20:01:46 | 00,091,520 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant [Boot | Running])
DRV - [2008/03/12 16:19:50 | 00,049,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\teefer2.sys -- (Teefer2 [On_Demand | Running])
DRV - [2008/04/04 19:59:46 | 00,040,832 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\wpsdrvnt.sys -- (WPS [System | Running])
DRV - [2009/04/20 22:12:14 | 00,149,768 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WpsHelper.sys -- (WpsHelper [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-511591595-1187453103-3816814527-1147\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-511591595-1187453103-3816814527-1147\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-511591595-1187453103-3816814527-1147\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-511591595-1187453103-3816814527-1147\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-511591595-1187453103-3816814527-1147\S-1-5-21-511591595-1187453103-3816814527-1147\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/02/23 20:09:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/04/21 08:59:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/05/20 11:06:51 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/05/20 11:06:49 | 00,000,000 | ---D | M]

[2008/10/10 09:21:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin.ARCHDEM\Application Data\mozilla\Extensions
[2008/10/10 09:21:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin.ARCHDEM\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/10/10 09:21:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin.ARCHDEM\Application Data\mozilla\Firefox\Profiles\r9zhpyyi.default\extensions
[2009/04/21 09:21:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/05/20 11:06:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/10/14 14:30:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/02/23 20:09:35 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/13 09:05:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/05/20 11:06:38 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/05/20 11:06:38 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/03/09 05:19:09 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/05/20 11:06:43 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/05/20 11:06:45 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/05/20 11:06:45 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/05/20 11:06:45 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/05/20 11:06:45 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/05/20 11:06:45 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/05/20 11:06:45 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/05/20 11:06:45 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKU\S-1-5-21-511591595-1187453103-3816814527-1147..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-511591595-1187453103-3816814527-1147..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (Trend Micro Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-511591595-1187453103-3816814527-1147\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-511591595-1187453103-3816814527-1147\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-511591595-1187453103-3816814527-1147\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-511591595-1187453103-3816814527-1147\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-511591595-1187453103-3816814527-1147_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.100.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = archdem.local
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/30 10:10:26 | 00,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2008/05/08 12:59:46 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - File not found - -- [ NTFS ]
O32 - AutoRun File - File not found - -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/27 11:07:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\09044-BT I_Central_Kevin_backup
[2009/08/27 11:07:33 | 29,102,080 | ---- | C] () -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\09044-BT I_Central_Kevin.rvt
[2009/08/27 10:35:39 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/08/26 08:57:12 | 00,229,376 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/08/26 08:57:12 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/08/26 08:57:12 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/08/26 08:57:12 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/08/26 08:57:12 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/08/26 08:57:12 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/08/26 08:56:51 | 00,000,000 | --SD | C] -- C:\ComboFix2
[2009/08/24 09:00:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin.ARCHDEM\Desktop\NCARB
[2009/08/20 17:04:58 | 00,000,000 | ---- | C] () -- C:\OPTIpref.xxx
[2009/08/20 09:09:20 | 00,012,790 | ---- | C] () -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\Revitini backup.ini
[2009/08/19 10:35:40 | 00,000,000 | --SD | C] -- C:\ComboFix
[2009/08/18 08:13:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin.ARCHDEM\Desktop\automaton
[2009/08/17 16:07:10 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/08/17 16:07:10 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/08/13 15:07:52 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Sepialine
[2009/08/13 09:10:25 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/08/13 09:10:13 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2009/08/06 15:39:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\09020-Magnolia Hill-CENTRAL2_Kevin_backup
[2009/08/06 15:39:29 | 21,659,648 | ---- | C] () -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\09020-Magnolia Hill-CENTRAL2_Kevin.rvt
[2009/08/05 09:49:59 | 00,000,000 | ---D | C] -- C:\Python26
[2009/08/05 09:41:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin.ARCHDEM\Application Data\Blender Foundation
[2009/08/05 09:41:10 | 00,000,000 | ---D | C] -- C:\Program Files\Blender Foundation
[2009/08/05 04:01:48 | 00,204,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/04 13:59:18 | 00,178,354 | ---- | C] () -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\props.psd
[2009/08/03 10:07:14 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/08/03 10:07:14 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/02/17 16:41:24 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/10/07 21:55:24 | 00,536,576 | ---- | C] () -- C:\WINDOWS\System32\TImage_syb.dll
[2008/10/07 21:54:26 | 00,178,688 | ---- | C] () -- C:\WINDOWS\System32\tcore_syb.dll
[2008/08/27 11:40:23 | 00,000,059 | ---- | C] () -- C:\WINDOWS\ccolwiz.ini
[2008/06/17 17:20:02 | 00,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/05/29 14:35:18 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/05/19 09:55:26 | 00,000,067 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2008/05/14 14:52:15 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/14 14:38:33 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/05/08 15:50:06 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/08 14:37:46 | 00,000,692 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/05/08 13:39:26 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/08 13:39:26 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/08 13:39:26 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/08 13:39:26 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/08 13:39:03 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/04/28 11:13:33 | 00,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2006/02/28 07:00:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 07:00:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\system.ini
[1999/01/22 13:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Files - Modified Within 30 Days ==========

[9 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/08/31 08:36:14 | 00,197,475 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/08/31 08:36:11 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/31 08:36:03 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/08/31 08:36:02 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/08/31 08:35:40 | 00,000,000 | ---- | M] () -- C:\WINDOWS\TempFile
[2009/08/31 08:35:33 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/31 08:35:27 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/28 17:18:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/08/28 09:49:19 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/08/28 09:36:56 | 00,988,672 | ---- | M] () -- C:\Documents and Settings\Kevin.ARCHDEM\Desktop\2009 TIMESHEET.xls
[2009/08/27 14:44:15 | 00,000,067 | ---- | M] () -- C:\WINDOWS\iltwain.ini
[2009/08/26 16:13:11 | 29,102,080 | ---- | M] () -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\09044-BT I_Central_Kevin.rvt
[2009/08/26 16:00:07 | 00,000,401 | RHS- | M] () -- C:\boot.ini
[2009/08/26 16:00:06 | 00,000,000 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/26 16:00:06 | 00,000,000 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/25 16:10:28 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/08/23 03:09:13 | 00,229,376 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/08/21 14:11:10 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Kevin.ARCHDEM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/20 17:04:58 | 00,000,000 | ---- | M] () -- C:\OPTIpref.xxx
[2009/08/19 17:54:02 | 00,012,790 | ---- | M] () -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\Revitini backup.ini
[2009/08/13 18:02:14 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/13 13:28:14 | 00,006,621 | ---- | M] () -- C:\Documents and Settings\Kevin.ARCHDEM\Application Data\PrimoPDFSet.xml
[2009/08/12 15:17:29 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/05 04:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mswebdvd.dll
[2009/08/05 04:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/04 13:59:19 | 00,178,354 | ---- | M] () -- C:\Documents and Settings\Kevin.ARCHDEM\My Documents\props.psd
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
< End of report >


-

And here is the RootRepeal log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 08:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF12CC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF632B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF5F5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\tempfile
Status: Allocation size mismatch (API: 33570816, Raw: 0)

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090827.053\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0xfc53b298

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0xfc532660

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0xfc15af38

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0xfcc6cdf8

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0xfcc0c6b8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xfc608430

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0xfcc22c70

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0xfcbb2f88

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0xfc525768

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0xfc5690c0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0xfcbb1878

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0xfc599688

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0xfc105160

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf5e922f0

#: 143 Function Name: NtQueryDefaultLocale
Status: Hooked by "SysPlant.sys" at address 0xf5b14830

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0xfc155310

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0xfc5989e0

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0xfc5b48d0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0xfc448eb0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0xfcc21d18

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0xfc5b4718

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xfcc53318

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0xfcb88b30

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0xfc5c89e8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xfc6076c8

==EOF==



Thanks again Sam! This is all new to me, so let me know what I should do next, or if I should wait for the malware to reinsert itself before running these programs again.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:15 PM

Posted 31 August 2009 - 12:19 PM

That's very weird. It looks like the infection is confined only to the registry and I'm not seeing any indication of any malware files. Are there any kind of backups that are performed on this computer that may be getting restored on a regular basis?


Please delete the version of combofix that you have now and lets get the current version.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 dolph

dolph
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 31 August 2009 - 03:23 PM

Combofix Log:

ComboFix 09-08-30.04 - Kevin 08/31/2009 14:47.6.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2732 [GMT -5:00]
Running from: c:\documents and settings\Kevin.ARCHDEM\My Documents\installer files\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 19:25 . 2009-08-31 19:28 -------- d-s---w- C:\ComboFix3
2009-08-26 13:56 . 2009-08-26 14:21 -------- d-s---w- C:\ComboFix2
2009-08-13 20:07 . 2009-08-13 20:07 -------- d-----w- c:\program files\Common Files\Sepialine
2009-08-13 14:10 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 14:49 . 2009-08-05 14:50 -------- d-----w- C:\Python26
2009-08-05 14:41 . 2009-08-05 14:41 -------- d-----w- c:\documents and settings\Kevin.ARCHDEM\Application Data\Blender Foundation
2009-08-05 14:41 . 2009-08-05 14:41 -------- d-----w- c:\program files\Blender Foundation
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 13:35 . 2009-02-03 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-28 22:59 . 2009-05-20 16:45 487848 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-24 14:10 . 2008-05-19 16:22 -------- d-----w- c:\documents and settings\Kevin.ARCHDEM\Application Data\AdobeUM
2009-08-13 20:07 . 2008-05-20 19:10 -------- d-----w- c:\program files\Sepialine
2009-08-05 14:25 . 2009-04-23 18:26 -------- d-----w- c:\program files\MAM
2009-08-05 14:24 . 2009-06-02 13:53 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-04-23 18:26 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-04-23 18:26 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 16:18 . 2009-05-04 14:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-23 15:22 . 2009-07-23 15:17 -------- d-----w- c:\program files\The KMPlayer
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-02-28 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2006-02-28 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-02-28 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-05-08 17:56 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2006-02-28 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-02-28 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-01-16 20:05 . 2009-01-16 20:03 9636896 -c--a-w- c:\program files\LS_Update_1.17.90.1_.exe
2009-01-16 19:59 . 2009-01-16 19:58 9954992 -c--a-w- c:\program files\LightScribeTemplateLabeler_1.17.90.1.exe
2009-01-16 19:55 . 2009-01-16 19:52 17701816 ----a-w- c:\program files\LightScribeSimpleLabeler_1.17.90.1.exe
2009-01-13 23:28 . 2009-01-13 23:03 164412304 ----a-w- c:\program files\Autodesk_NavisWorks_Freedom_2009.1_English_Win_32bit.exe
2009-01-13 15:37 . 2009-01-13 15:37 1248953 ----a-w- c:\program files\EarthConnectorRevit.exe
2009-01-13 15:23 . 2009-01-13 15:23 1035408 ----a-w- c:\program files\Google Updater.exe
2008-05-19 13:46 . 2008-05-19 13:45 2400784 -c--a-w- c:\program files\WLinstaller.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-08-26_14.09.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-31 13:36 . 2009-08-31 13:36 16384 c:\windows\Temp\Perflib_Perfdata_1ac.dat
+ 2008-05-19 16:20 . 2009-08-31 16:44 2248192 c:\windows\Installer\507453.msi
- 2008-05-19 16:20 . 2009-08-25 14:54 2248192 c:\windows\Installer\507453.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-07-04 148776]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-05-20 396288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Rpcdf2gsphuu"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 9:01 AM 102448]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9861b45c685b2;Google Update Service (gupdate1c9861b45c685b2);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 11:20 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 2:55 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 15:04]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 16:19]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 16:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Kevin.ARCHDEM\Application Data\Mozilla\Firefox\Profiles\r9zhpyyi.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 14:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-511591595-1187453103-3816814527-1147\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\sxs.dll

- - - - - - - > 'explorer.exe'(128)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-08-31 15:11
ComboFix-quarantined-files.txt 2009-08-31 20:11
ComboFix2.txt 2009-08-26 14:21
ComboFix3.txt 2009-08-03 15:31
ComboFix4.txt 2009-07-09 14:29
ComboFix5.txt 2009-08-31 19:26

Pre-Run: 421,133,066,240 bytes free
Post-Run: 421,124,743,168 bytes free

165 --- E O F --- 2009-08-13 23:02


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:15 PM

Posted 01 September 2009 - 11:42 AM

Again here I'm not seeing much to be concerned about. Just one small item which we can fix easily.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Rpcdf2gsphuu"=-
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


My theory is that somehow a registry restore or backup is being restored on your computer and that restores the signs of malware that you are seeing. As of right now I don't see any signs of an active infection.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users