Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PLEASE Help with Malware / Trojan - Hijack This log included


  • This topic is locked This topic is locked
3 replies to this topic

#1 JTRAHAN63

JTRAHAN63

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 14 August 2010 - 12:45 PM

I have run several anti-malware / anti-virus programs. They find issues, I repair them and they keep popping back up.

Note that all "cam", "coopcam" and "c-a-m" are related to the network for my job.

Any help would be greatly appreciated.

JT





Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:37:27 PM, on 8/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
c:Program FilesMicrosoft ForefrontClient SecurityClientAntimalwareMsMpEng.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCisco SystemsVPN Clientcvpnd.exe
C:WINDOWSsystem32DWRCS.EXE
C:Program FilesMicrosoft ForefrontClient SecurityClientSSAFcsSas.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesJavajre6binjqs.exe
C:Program Files1ENomadBranchNomadBranch.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32CCMCcmExec.exe
C:Program FilesMicrosoft ForefrontClient SecurityClientMicrosoft Operations Manager 2005MOMService.exe
C:Program FilesCanonCALCALMAIN.exe
C:WINDOWSsystem32DWRCST.exe
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32hkcmd.exe
C:Program FilesltmohLtmoh.exe
C:WINDOWSsystem32fpapli.exe
C:WINDOWSsystem32Tprbtn.exe
C:Program FilesMicrosoft Office Communicatorcommunicator.exe
C:Program FilesNuancePDF Professional 6pdfpro6hook.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesIObitAdvanced SystemCare 3AWC.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSsystem32msiexec.exe
C:WINDOWSexplorer.exe
C:Program FilesTrend MicroHijackThisHiJackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://intranet.c-a-m.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://intranet.c-a-m.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://intranet.c-a-m.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:Program FilesAVGAVG9ToolbarIEToolbar.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:Program FilesTechSmithSnagit 9SnagitBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG9avgssie.dll
O2 - BHO: PlusIEEventHelper Class - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:Program FilesNuancePDF Professional 6BinPlusIEContextMenu.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:Program FilesAVGAVG9ToolbarIEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.5.5126.1836swg.dll
O2 - BHO: ZeonIEEventHelper Class - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:Program FilesNuancePDF Professional 6BinZeonIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:Program FilesTechSmithSnagit 9SnagitIEAddin.dll
O3 - Toolbar: Nuance PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:Program FilesNuancePDF Professional 6BinZeonIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:Program FilesAVGAVG9ToolbarIEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O4 - HKLM..Run: [IgfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [LtMoh] C:Program FilesltmohLtmoh.exe
O4 - HKLM..Run: [gemstrmw] C:WINDOWSsystem32gemstrmw.exe /r
O4 - HKLM..Run: [scroller] fpapli.exe
O4 - HKLM..Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [Communicator] "C:Program FilesMicrosoft Office Communicatorcommunicator.exe" /fromrunkey
O4 - HKLM..Run: [PDFHook] C:Program FilesNuancePDF Professional 6pdfpro6hook.exe
O4 - HKLM..Run: [PDF6 Registry Controller] C:Program FilesNuancePDF Professional 6RegistryController.exe
O4 - HKLM..Run: [AVG9_TRAY] C:PROGRA~1AVGAVG9avgtray.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [khefedsys] rundll32.exe "opmnml.dll",s
O4 - HKLM..Run: [DameWare MRC Agent] C:WINDOWSsystem32DWRCST.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [Advanced SystemCare 3] "C:Program FilesIObitAdvanced SystemCare 3AWC.exe" /startup
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKCU..Run: [swg] "C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe"
O4 - HKUSS-1-5-18..Run: [DWQueuedReporting] "C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUSS-1-5-18..Run: [qkusshwg] C:Documents and SettingsNetworkServiceLocal SettingsApplication Dataxkqowhfongqohlwttssd.exe (User 'SYSTEM')
O4 - HKUSS-1-5-18..Run: [Npopageca] rundll32.exe "C:WINDOWSdexwlex.dll",Startup (User 'SYSTEM')
O4 - HKUSS-1-5-18..Run: [vtroppsys] rundll32.exe "opmnml.dll",s (User 'SYSTEM')
O4 - HKUSS-1-5-18..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTranstscuinst.vbs" (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [DWQueuedReporting] "C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'Default user')
O4 - HKUS.DEFAULT..RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTranstscuinst.vbs" (User 'Default user')
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O8 - Extra context menu item: Append the content of the link to existing PDF file - res://C:Program FilesNuancePDF Professional 6BinZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Append the content of the selected links to existing PDF file - res://C:Program FilesNuancePDF Professional 6BinZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
O8 - Extra context menu item: Append to existing PDF file - res://C:Program FilesNuancePDF Professional 6BinZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Create PDF file - res://C:Program FilesNuancePDF Professional 6BinZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF file from the content of the link - res://C:Program FilesNuancePDF Professional 6BinZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF files from the selected links - res://C:Program FilesNuancePDF Professional 6BinZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:Program FilesGoogleGoogle ToolbarComponentGoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Open with Nuance PDF Converter 6.0 - res://C:Program FilesNuancePDF Professional 6cnvres_eng.dll /100
O8 - Extra context menu item: Open with PDF Professional 6 - res://C:Program FilesNuancePDF Professional 6BinPlusIEContextMenu.dll/PlusIEContextMenu.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.c-a-m.com
O15 - Trusted Zone: *.c-a-m.com
O15 - Trusted Zone: http://*.camclysm01
O15 - Trusted Zone: *.cctrainer.com
O15 - Trusted Zone: *.ccc.coopcam.com
O15 - Trusted Zone: camclysm01.ccc.coopcam.com
O15 - Trusted Zone: camclysm02.ccc.coopcam.com
O15 - Trusted Zone: ccceqis01.ccc.coopcam.com
O15 - Trusted Zone: *.ihs.com
O15 - Trusted Zone: *.ihserc.com
O15 - Trusted Zone: *.liveperson.net
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://www.wise.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://www.wise.com (HKLM)
O16 - DPF: {0CE39AB9-27D9-4D58-9DC1-99405AFB86F4} (WMIRegistryDLL.WMIRegistry) - http://camccp.c-a-m.com/mypcinfo/bin/WMIRegistryDLL.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1226250718937
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...indows-i586.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase81/OrgPubX.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O16 - DPF: {EF55A67E-D9E4-4151-B026-1BE1B535ABFD} (ESDComputerName.ESDGetComputerName) - http://software.ccc.coopcam.com/ESD/ESDComputerName.CAB
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = ccc.coopcam.com
O17 - HKLMSoftware..Telephony: DomainName = ccc.coopcam.com
O17 - HKLMSystemCCSServicesTcpip..{63A90BF4-76B0-48A5-80CE-CE9CF7E4C49F}: NameServer = 69.78.96.14 66.174.92.14
O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = ccc.coopcam.com
O17 - HKLMSystemCS2ServicesTcpipParameters: Domain = ccc.coopcam.com
O17 - HKLMSystemCS3ServicesTcpipParameters: Domain = ccc.coopcam.com
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:Program FilesAVGAVG9ToolbarIEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG9avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSsystem32browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSsystem32browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:Program FilesAVGAVG9ToolbarToolbarBroker.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:Program FilesAVGAVG9avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:Program FilesCanonCALCALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:Program FilesCisco SystemsVPN Clientcvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:WINDOWSsystem32DWRCS.EXE
O23 - Service: FlipShare Service - Unknown owner - C:Program FilesFlip VideoFlipShareFlipShareService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service ImapiServiceWmi (ImapiServiceWmi) - Unknown owner - C:WINDOWSsystem321028m.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: Nomad Branch (NomadBranch) - 1E - C:Program Files1ENomadBranchNomadBranch.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxLiveShare9.exe (file missing)

--
End of file - 14800 bytes

Since I posted the HijackThis log log, AVG Resident Shield Alert popped-up with a trojan horse threat -
Threat Name: Trojan horse Sheur3.ATDD
File: c:System Volume Information_restore{84B61A6D-69DD-4A93-ABBB-9DD71900CF81}RP622A0044329.dll

Portions of the AVG log is below. The most recent attacks are at the top of the list


Infection Object Process

Trojan horse SHeur3.ATDD
c:System Volume Information_restore{84B61A6D-69DD-4A93-ABBB-9DD71900CF81}RP622A0044329.dll
C:WINDOWSsystem32svchost.exe

Trojan horse SHeur3.ATDD
c:WINDOWSsystem32opmnml.dll
C:WINDOWSsystem32dumprep.exe

Trojan horse SHeur3.ATDD
c:WINDOWSsystem32opmnml.dll
C:WINDOWSsystem32lsass.exe

Trojan horse Downloader.Generic10.ANV
c:WINDOWSTempexe.exe
C:WINDOWSsystem32CCMCcmExec.exe

Virus found HTML/Framer
c:Documents and SettingstrahanjhLocal SettingsTemporary Internet FilesContent.IE5LOFO3JRFrecaptcha_ajax[1].js
C:Program FilesMalwarebytes' Anti-Malwarembam.exe

Virus found HTML/Framer
c:Documents and SettingsNetworkServiceLocal SettingsTemporary Internet FilesContent.IE58PSU3LUSoven[2].htm
C:Program FilesMalwarebytes' Anti-Malwarembam.exe

Virus found HTML/Framer
c:Documents and SettingsNetworkServiceLocal SettingsTemporary Internet FilesContent.IE58PSU3LUSoven[1].htm
C:Program FilesMalwarebytes' Anti-Malwarembam.exe

Trojan horse SHeur3.AHTH
c:System Volume Information_restore{84B61A6D-69DD-4A93-ABBB-9DD71900CF81}RP571A0038478.dll
C:WINDOWSsystem32svchost.exe

Trojan horse Generic18.AEKM
c:System Volume Information_restore{84B61A6D-69DD-4A93-ABBB-9DD71900CF81}RP571A0038477.exe
C:WINDOWSsystem32svchost.exe

Trojan horse Generic18.AEKM
c:Documents and SettingsNetworkServiceLocal SettingsApplication Dataoojevrvaipobohjktssd.exe
C:WINDOWSExplorer.EXE

Trojan horse Cryptic.AHC
c:Documents and SettingsNetworkServiceLocal SettingsTemporary Internet FilesContent.IE5PPW56VE4setup[1].exe
C:WINDOWSTempexe.exe

Trojan horse SHeur3.ACHV
c:System Volume Information_restore{84B61A6D-69DD-4A93-ABBB-9DD71900CF81}RP515A0030972.exe
c:Program FilesMicrosoft ForefrontClient SecurityClientAntimalwareMsMpEng.exe

Trojan horse Generic18.EKW
c:System Volume Information_restore{84B61A6D-69DD-4A93-ABBB-9DD71900CF81}RP515A0030966.exe
c:Program FilesMicrosoft ForefrontClient SecurityClientAntimalwareMsMpEng.exe

DDS TOOL LOG:


DDS (Ver_10-03-17.01) - NTFSx86
Run by trahanjh at 12:57:04.04 on Sat 08/14/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.264 [GMT -5:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
c:Program FilesMicrosoft ForefrontClient SecurityClientAntimalwareMsMpEng.exe
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:WINDOWSsystem32svchost.exe -k netsvcs
C:Program FilesAVGAVG9avgcsrvx.exe
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCisco SystemsVPN Clientcvpnd.exe
C:WINDOWSsystem32DWRCS.EXE
C:Program FilesMicrosoft ForefrontClient SecurityClientSSAFcsSas.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesJavajre6binjqs.exe
C:Program Files1ENomadBranchNomadBranch.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32CCMCcmExec.exe
C:Program FilesMicrosoft ForefrontClient SecurityClientMicrosoft Operations Manager 2005MOMService.exe
C:Program FilesCanonCALCALMAIN.exe
C:WINDOWSsystem32DWRCST.exe
C:WINDOWSsystem32igfxtray.exe
C:Program FilesltmohLtmoh.exe
C:WINDOWSsystem32fpapli.exe
C:WINDOWSsystem32Tprbtn.exe
C:Program FilesMicrosoft Office Communicatorcommunicator.exe
C:Program FilesNuancePDF Professional 6pdfpro6hook.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesIObitAdvanced SystemCare 3AWC.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSexplorer.exe
C:Program FilesTrend MicroHijackThisHiJackThis.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:WINDOWSexplorer.exe
C:WINDOWSsystem32wuauclt.exe
C:Documents and SettingstrahanjhDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet.c-a-m.com
uDefault_Page_URL = hxxp://intranet.c-a-m.com
mDefault_Page_URL = hxxp://intranet.c-a-m.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:program filestechsmithsnagit 9SnagitBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:program filesnuancepdf professional 6binPlusIEContextMenu.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.5126.1836swg.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:program filesnuancepdf professional 6binZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:program filestechsmithsnagit 9SnagitIEAddin.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:program filesnuancepdf professional 6binZeonIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg9toolbarIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Advanced SystemCare 3] "c:program filesiobitadvanced systemcare 3AWC.exe" /startup
uRun: [SUPERAntiSpyware] c:program filessuperantispywareSUPERAntiSpyware.exe
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [LtMoh] c:program filesltmohLtmoh.exe
mRun: [gemstrmw] c:windowssystem32gemstrmw.exe /r
mRun: [scroller] fpapli.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Communicator] "c:program filesmicrosoft office communicatorcommunicator.exe" /fromrunkey
mRun: [PDFHook] c:program filesnuancepdf professional 6pdfpro6hook.exe
mRun: [PDF6 Registry Controller] c:program filesnuancepdf professional 6RegistryController.exe
mRun: [AVG9_TRAY] c:progra~1avgavg9avgtray.exe
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [khefedsys] rundll32.exe "opmnml.dll",s
mRun: [DameWare MRC Agent] c:windowssystem32DWRCST.exe
dRun: [DWQueuedReporting] "c:progra~1common~1micros~1dwdwtrig20.exe" -t
dRun: [qkusshwg] c:documents and settingsnetworkservicelocal settingsapplication dataxkqowhfongqohlwttssd.exe
dRun: [Npopageca] rundll32.exe "c:windowsdexwlex.dll",Startup
dRun: [vtroppsys] rundll32.exe "opmnml.dll",s
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%InstallerTSClientMsiTranstscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%InstallerTSClientMsiTranstscdsbl.bat"
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = av.exe
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
IE: Append the content of the link to existing PDF file - c:program filesnuancepdf professional 6binZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:program filesnuancepdf professional 6binZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:program filesnuancepdf professional 6binZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:program filesnuancepdf professional 6binZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:program filesnuancepdf professional 6binZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:program filesnuancepdf professional 6binZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open with Nuance PDF Converter 6.0 - c:program filesnuancepdf professional 6cnvres_eng.dll /100
IE: Open with PDF Professional 6 - c:program filesnuancepdf professional 6binPlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
Trusted Zone: brassring.comsjobs
Trusted Zone: c-a-m.com
Trusted Zone: camclysm01
Trusted Zone: cctrainer.com
Trusted Zone: coopcam.com*.ccc
Trusted Zone: coopcam.comcamclysm01.ccc
Trusted Zone: coopcam.comcamclysm02.ccc
Trusted Zone: coopcam.comccceqis01.ccc
Trusted Zone: google.commaps
Trusted Zone: ihs.com
Trusted Zone: ihserc.com
Trusted Zone: liveperson.net
DPF: {0CE39AB9-27D9-4D58-9DC1-99405AFB86F4} - hxxp://camccp.c-a-m.com/mypcinfo/bin/WMIRegistryDLL.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226250718937
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase81/OrgPubX.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {EF55A67E-D9E4-4151-B026-1BE1B535ABFD} - hxxp://software.ccc.coopcam.com/ESD/ESDComputerName.CAB
TCP: {63A90BF4-76B0-48A5-80CE-CE9CF7E4C49F} = 69.78.96.14 66.174.92.14
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:program filesavgavg9toolbarIEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:program filessapfrontendsapguiSAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:program filessapfrontendsapguiSAPHTMLP.DLL
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
LSA: Authentication Packages = msv1_0 opmnml.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1trahanjhapplic~1mozillafirefoxprofiles42b96lhz.default
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5577
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:program filesgoogleupdate1.2.183.29npGoogleOneClick8.dll
FF - plugin: c:program filesnuancepdf professional 6binnppdf.dll

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("network.proxy.type", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.count", 24);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.size", 4096);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("accelerometer.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:windowssystem32driversbsstor.sys [2009-9-26 8040]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2010-6-29 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2010-6-29 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:windowssystem32driversavgtdix.sys [2010-6-29 243024]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:windowssystem32driversdwvkbd.sys [2007-2-15 26624]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:program filesavgavg9avgwdsvc.exe [2010-7-15 308136]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:program filesmicrosoft forefrontclient securityclientantimalwareMsMpEng.exe [2009-6-3 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:program filesmicrosoft forefrontclient securityclientssaFcsSas.exe [2007-4-6 73120]
R2 MOM;MOM;c:program filesmicrosoft forefrontclient securityclientmicrosoft operations manager 2005MOMService.exe [2005-7-21 134656]
R2 NomadBranch;Nomad Branch;c:program files1enomadbranchNomadBranch.exe [2009-7-21 1234256]
R2 pcinfo;Panasonic PC Info. Viewer Driver;c:program filespanasonicpcinfoPCINFO.sys [2008-8-14 7168]
R3 DwMirror;DwMirror;c:windowssystem32driversDamewareMini.sys [2007-2-7 2944]
R3 FIDMOU;Fujitsu touchpad;c:windowssystem32driversFidmou.sys [2005-4-18 23463]
R3 GTWINSER;GTWINSER;c:windowssystem32driversGTwinSER.sys [2008-8-14 66912]
R3 MpFilter;Microsoft Malware Protection Driver;c:windowssystem32driversMpFilter.sys [2009-9-25 69616]
R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:windowssystem32driversPTDCWWAN.sys [2009-12-22 114704]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:progra~1verizo~1vzacce~1SMSIVZAM5.SYS [2009-5-25 32408]
S1 MpKsl0d324aad;MpKsl0d324aad;??c:documents and settingsall usersapplication datamicrosoftmicrosoft forefrontclient securityclientantimalwaredefinition updates{e1e25292-68a5-4769-8a9f-79c3ea2568d6}mpksl0d324aad.sys --> c:documents and settingsall usersapplication datamicrosoftmicrosoft forefrontclient securityclientantimalwaredefinition updates{e1e25292-68a5-4769-8a9f-79c3ea2568d6}MpKsl0d324aad.sys [?]
S1 MpKsla60f18e1;MpKsla60f18e1;??c:documents and settingsall usersapplication datamicrosoftmicrosoft forefrontclient securityclientantimalwaredefinition updates{3f91cdf3-432d-450a-a535-59d3cde0d784}mpksla60f18e1.sys --> c:documents and settingsall usersapplication datamicrosoftmicrosoft forefrontclient securityclientantimalwaredefinition updates{3f91cdf3-432d-450a-a535-59d3cde0d784}MpKsla60f18e1.sys [?]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-1-30 135664]
S2 ImapiServiceWmi;IMAPI CD-Burning COM Service ImapiServiceWmi;c:windowssystem321028m.exe srv --> c:windowssystem321028m.exe srv [?]
S2 stdmpr;Center Time;c:windowssystem32svchost.exe -k netsvcs [2004-8-4 14336]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:program filesavgavg9toolbarToolbarBroker.exe [2010-6-29 430152]
S3 qwotxv;qwotxv;??c:windowssystem32090.tmp --> c:windowssystem32090.tmp [?]
S3 Revoflt;Revoflt;c:windowssystem32driversrevoflt.sys [2010-1-23 27064]
S3 umjywwa;umjywwa;??c:windowssystem3201.tmp --> c:windowssystem3201.tmp [?]
S3 vsdatant;vsdatant;c:windowssystem32vsdatant.sys [2005-1-26 280344]
S4 BsUDF;InCD UDF Driver;c:windowssystem32driversbsudf.sys [2009-9-26 294784]

=============== Created Last 30 ================


==================== Find3M ====================

2010-07-15 13:47:29 243024 ----a-w- c:windowssystem32driversavgtdix.sys
2010-07-15 13:47:16 12536 ----a-w- c:windowssystem32avgrsstx.dll
2010-07-15 13:42:43 216400 ----a-w- c:windowssystem32driversavgldx86.sys
2010-07-14 19:12:51 5888 ----a-w- c:windowssystem32driversqvywexlg.sys
2010-07-09 20:31:39 5888 ----a-w- c:windowssystem32driversksopuiya.sys
2010-07-09 01:05:33 5888 ----a-w- c:windowssystem32driversprdhmpmm.sys
2010-07-07 13:16:41 5888 ----a-w- c:windowssystem32driversbtrptllm.sys
2010-07-03 03:01:05 5888 ----a-w- c:windowssystem32driversnznylstc.sys
2010-07-02 22:07:25 5888 ----a-w- c:windowssystem32driversxzyogyrs.sys
2010-06-25 21:02:19 5888 ----a-w- c:windowssystem32driversnzhdeywi.sys
2010-06-07 14:33:14 72080 ----a-w- c:documents and settingstrahanjhg2mdlhlpx.exe
2010-06-01 17:37:48 221568 ------w- c:windowssystem32MpSigStub.exe
2010-05-18 21:35:16 91424 ----a-w- c:windowssystem32dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:windowssystem32dns-sd.exe
2006-12-29 21:15:42 3100672 ----a-w- c:program filescommon filessapxlhelper.dll
2006-12-29 21:15:40 626688 ----a-w- c:program filescommon filessapconsaccess.dll
2006-12-29 21:15:40 40960 ----a-w- c:program filescommon filesDigitalSignature.ocx
2006-12-29 21:15:40 192512 ----a-w- c:program filescommon filessapconsr3.dll
2006-12-07 16:26:26 1129984 ----a-w- c:program filescommon filesSAPActiveXL.xlt
2006-12-07 16:26:26 1124864 ----a-w- c:program filescommon filesSAPActiveXL_nosig.xlt

============= FINISH: 12:59:46.45 ===============

GMER LOG FILE:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-14 17:14:01
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:DOCUME~1trahanjhLOCALS~1Tempugddrfob.sys


---- System - GMER 1.0.15 ----

SSDT ??C:Program FilesSUPERAntiSpywareSASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA66F620]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:WINDOWSsystem32driversdmload.sys
entry point in ".rsrc" section [0xF7B83114]

init C:WINDOWSsystem32DRIVERSGTwinSER.sys
entry point in "init" section [0xA668FE80]

---- User code sections - GMER 1.0.15 ----

.text C:WINDOWSsystem32svchost.exe[360] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A

.text C:WINDOWSsystem32svchost.exe[360] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]

.text C:WINDOWSsystem32svchost.exe[360] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A

.text C:WINDOWSsystem32svchost.exe[360] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C

.text C:WINDOWSsystem32svchost.exe[360] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 024E000A

.text C:WINDOWSsystem32svchost.exe[360] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E1000A

.text C:WINDOWSexplorer.exe[2216] ntdll.dll!NtProtectVirtualMemory
7C90D6EE 5 Bytes JMP 00B7000A

.text C:WINDOWSexplorer.exe[2216] ntdll.dll!NtWriteVirtualMemory
7C90DFAE 5 Bytes JMP 00BD000A

.text C:WINDOWSexplorer.exe[2216] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

.text C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe[2360] USER32.dll!SetScrollInfo
7E419056 5 Bytes JMP 00688BF0 C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe
(VZAccess Manager/Smith Micro Software, Inc.)

.text C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe[2360] USER32.dll!GetScrollInfo
7E42DFE2 5 Bytes JMP 00688B40 C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe (VZAccess Manager/Smith Micro Software, Inc.)

.text C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe[2360] USER32.dll!ShowScrollBar
7E42F2F2 5 Bytes JMP 00688CC0 C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe (VZAccess Manager/Smith Micro Software, Inc.)

.text C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe[2360] USER32.dll!GetScrollPos
7E42F704 5 Bytes JMP 00688B80 C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe
(VZAccess Manager/Smith Micro Software, Inc.)

.text C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe[2360] USER32.dll!SetScrollPos
7E42F750 5 Bytes JMP 00688C30 C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe
(VZAccess Manager/Smith Micro Software, Inc.)

.text C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe[2360] USER32.dll!GetScrollRange
7E42F787 5 Bytes JMP 00688BB0 C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe
(VZAccess Manager/Smith Micro Software, Inc.)

.text C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe[2360] USER32.dll!SetScrollRange
7E42F99B 5 Bytes JMP 00688C70 C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe (VZAccess Manager/Smith Micro Software, Inc.)

.text C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe[2360] USER32.dll!EnableScrollBar
7E468005 5 Bytes JMP 00688B00 C:Program FilesVerizon WirelessVZAccess ManagerVZAccess Manager.exe
(VZAccess Manager/Smith Micro Software, Inc.)

.text C:WINDOWSexplorer.exe[4596] ntdll.dll!NtProtectVirtualMemory
7C90D6EE 5 Bytes JMP 00B7000A

.text C:WINDOWSexplorer.exe[4596] ntdll.dll!NtWriteVirtualMemory
7C90DFAE 5 Bytes JMP 00BD000A

.text C:WINDOWSexplorer.exe[4596] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

.text C:Program FilesInternet Exploreriexplore.exe[5060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A

.text C:Program FilesInternet Exploreriexplore.exe[5060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A

.text C:Program FilesInternet Exploreriexplore.exe[5060] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C

.text C:Program FilesInternet Exploreriexplore.exe[5060] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:Program FilesInternet Exploreriexplore.exe[5060] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352046 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:Program FilesInternet Exploreriexplore.exe[5060] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FC7 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:Program FilesInternet Exploreriexplore.exe[5060] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35200B C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:Program FilesInternet Exploreriexplore.exe[5060] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F53 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:Program FilesInternet Exploreriexplore.exe[5060] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F8D C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:Program FilesInternet Exploreriexplore.exe[5060] USER32.dll!DialogBoxIndirectParamA 7E456D7D 1 Byte [E9]

.text C:Program FilesInternet Exploreriexplore.exe[5060] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352081 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:Program FilesInternet Exploreriexplore.exe[5060] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:Program FilesInternet Exploreriexplore.exe[5060] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352243 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)


---- Devices - GMER 1.0.15 ----

AttachedDevice DriverTcpip DeviceIp
avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> Driveratapi DeviceHarddisk0DR0
86F15EC5


---- Services - GMER 1.0.15 ----

Service C:WINDOWSsystem32svchost.exe (*** hidden *** )
[AUTO] stdmpr <-- ROOTKIT !!!


---- Registry - GMER 1.0.15 ----

Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys001060d00fa3
Reg HKLMSYSTEMCurrentControlSetServicesstdmpr@DisplayName Center Time
Reg HKLMSYSTEMCurrentControlSetServicesstdmpr@Type 32
Reg HKLMSYSTEMCurrentControlSetServicesstdmpr@Start 2
Reg HKLMSYSTEMCurrentControlSetServicesstdmpr@ErrorControl 0
Reg HKLMSYSTEMCurrentControlSetServicesstdmpr@ImagePath %SystemRoot%system32svchost.exe -k netsvcs
Reg HKLMSYSTEMCurrentControlSetServicesstdmpr@ObjectName LocalSystem
Reg HKLMSYSTEMCurrentControlSetServicesstdmpr@Description Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Reg HKLMSYSTEMCurrentControlSetServicesstdmprParameters
Reg HKLMSYSTEMCurrentControlSetServicesstdmprParameters@ServiceDll C:WINDOWSsystem32neiwo.dll
Reg HKLMSYSTEMControlSet002Servicesstdmpr@DisplayName Center Time
Reg HKLMSYSTEMControlSet002Servicesstdmpr@Type 32
Reg HKLMSYSTEMControlSet002Servicesstdmpr@Start 2
Reg HKLMSYSTEMControlSet002Servicesstdmpr@ErrorControl 0
Reg HKLMSYSTEMControlSet002Servicesstdmpr@ImagePath %SystemRoot%system32svchost.exe -k netsvcs
Reg HKLMSYSTEMControlSet002Servicesstdmpr@ObjectName LocalSystem
Reg HKLMSYSTEMControlSet002Servicesstdmpr@Description Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Reg HKLMSYSTEMControlSet002ServicesstdmprParameters (not active ControlSet)
Reg HKLMSYSTEMControlSet002ServicesstdmprParameters@ServiceDll C:WINDOWSsystem32neiwo.dll
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys001060d00fa3 (not active ControlSet)
Reg HKLMSYSTEMControlSet003Servicesstdmpr@DisplayName Center Time
Reg HKLMSYSTEMControlSet003Servicesstdmpr@Type 32
Reg HKLMSYSTEMControlSet003Servicesstdmpr@Start 2
Reg HKLMSYSTEMControlSet003Servicesstdmpr@ErrorControl 0
Reg HKLMSYSTEMControlSet003Servicesstdmpr@ImagePath %SystemRoot%system32svchost.exe -k netsvcs
Reg HKLMSYSTEMControlSet003Servicesstdmpr@ObjectName LocalSystem
Reg HKLMSYSTEMControlSet003Servicesstdmpr@Description Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Reg HKLMSYSTEMControlSet003ServicesstdmprParameters (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicesstdmprParameters@ServiceDll C:WINDOWSsystem32neiwo.dll


---- Files - GMER 1.0.15 ----

File C:Documents and SettingstrahanjhDesktopAVG Resident Shield.pdf 421386 bytes
File C:WINDOWSsystem32driversdmload.sys suspicious modification
File C:WINDOWSsystem32driversatapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

EDIT: Posts merged ~BP

New attack this morning - caught by AVG Resident Shield -

Infection:
Trojan horse SHeur3.ATDD

Object:
c:System Volume Information_restore{84B61A6D-69DD-4A93-ABBB-9DD71900CF81}RP622A0044329.dll

Process:
C:WINDOWSsystem32svchost.exe

Another attack today - caught by Malwarebytes.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4434

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

8/16/2010 7:50:20 AM mbam-log-2010-08-16 (07-50-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 238298
Time elapsed: 2 hour(s), 45 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khefedsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vtroppsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vtroppsys (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

EDIT: Posts merged ~BP

Edited by Budapest, 16 August 2010 - 04:45 PM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:21 AM

Posted 21 August 2010 - 01:36 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  1. Double click on RSIT.exe to run RSIT.
  2. Click Continue at the disclaimer screen.
  3. Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  1. Reply to this thread; do not start another!
  2. Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  3. Do not run any other tool until instructed to do so!
  4. Let me know if any of the links do not work or if any of the tools do not work.
  5. Tell me about problems or symptoms that occur during the fix.
  6. Do not run any other programs or open any other windows while doing a fix.
  7. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 JTRAHAN63

JTRAHAN63
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 26 August 2010 - 08:14 AM

Thanks for the response. This is a work pc and my IT guy got tired of my complaints, so he just replaced it with a new one. The one with the bug was due for replacement shortly anyway. He will simply re-image the hard drive On the old one and use it as a loaner.

Please consider this one closed.

Thanks,
John

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:21 AM

Posted 28 August 2010 - 06:34 PM

Thank you for letting me know.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users