Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups And Computer Not Working Right


  • This topic is locked This topic is locked
13 replies to this topic

#1 tanislynn

tanislynn

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 08 June 2007 - 11:16 AM

Hi,
I need help. I went onto a myspace comment generator site and ever since then I've been having issues. I started getting a pop up of a "anti-spywear" software trying to download on my computer. I've had nothing but trouble since. I've scanned and scanned and scanned my computer. I think I've gotten most of the errors fixed - but when I start my computer I'm still getting a window titled 'c:\windows\svhost.exe' pop up. And occasionally when I'm on the internet it will try to do a pop up in the background and then shut it down itself. Please help! Thanks!

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:06:43 AM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
c:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HGRA\HGRA\ServiceMgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HGRA\HGRA\e360SysTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://itg.honeywell.com/itgnet/hgr/choicepage5.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\Program Files\LANDesk\LDClient\softmon.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [Reg2Reg2] "C:\Program Files\LANDesk\LDClient\REG2REG2.EXE"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [e360SysTray] "C:\Program Files\HGRA\HGRA\e360SysTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM:5007 /S=USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM /I=HTTP://USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe"
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\thxodjbo.dll",realset
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://communities.honeywell.com/qp2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.t-mobile.com/html/web/client_to...M-PwpClient.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105558117276
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.honeywell.com/pki/VSApps/vspta3.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://199.62.252.104:8080/qcbin/Spider90.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\Software\..\Telephony: DomainName = global.ds.honeywell.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: ence55 - Unknown owner - C:\WINDOWS\system32\ence55.exe
O23 - Service: FiberlinkComm Monitor Service (FiberlinkCommMonitor) - Boingo Wireless, Inc. - C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\HGRA\HGRA\ServiceMgr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 08 June 2007 - 02:34 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum tanislynn :thumbsup:

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\ence55.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply please.

If Jotti's too busy,try here:
Go here:http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\ence55.exe
Then click on 'Send'.
Post the results into your next reply please.

****************************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\svhost.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\system32\thxodjbo.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

****************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


****************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to xyz.bat
Double click on xyz.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 tanislynn

tanislynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 08 June 2007 - 05:53 PM

ok, here are all the scans:

virusscan.jotti.org scan:

Service load: 0% 100%

File: ence55.exe
Status: OK
MD5 336a5cd730c47639879a31cb1b751614
Packers detected: -

Scan taken on 08 Jun 2007 22:06:43 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Avenger the txt file was blank

VundoFix V6.4.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 4:19:36 PM 6/8/2007

Listing files found while scanning....

C:\WINDOWS\system32\byvww.dll
C:\WINDOWS\system32\hgghgfd.dll
C:\WINDOWS\system32\wwvyb.bak1
C:\WINDOWS\system32\wwvyb.bak2
C:\WINDOWS\system32\wwvyb.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byvww.dll
C:\WINDOWS\system32\byvww.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgghgfd.dll
C:\WINDOWS\system32\hgghgfd.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wwvyb.bak1
C:\WINDOWS\system32\wwvyb.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wwvyb.bak2
C:\WINDOWS\system32\wwvyb.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wwvyb.ini
C:\WINDOWS\system32\wwvyb.ini Has been deleted!

Performing Repairs to the registry.
Done!


ComboFix 07-06-09.1 - D:\Documents and Settings\e386419\Desktop\ComboFix.exe
"e386419" - 2007-06-08 16:39:52 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hgghgfd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\system32\instsrv.exe


((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))


2007-06-08 16:39 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 16:33 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-06-08 16:19 <DIR> d-------- C:\VundoFix Backups
2007-06-08 16:16 0 --a------ C:\backup.reg
2007-06-08 16:12 126,976 --a------ C:\zip.exe
2007-06-08 09:02 <DIR> d-------- C:\Temp\msohtml1
2007-06-08 09:02 <DIR> d-------- C:\Temp\msohtml
2007-06-08 07:37 10,260 ---hs---- C:\Temp\nbptcmbh.dll
2007-06-07 11:35 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2007-06-07 11:35 86,016 --a------ C:\WINDOWS\system32\preflib.dll
2007-06-07 11:35 757,760 --a------ C:\WINDOWS\system32\bcm1xsup.dll
2007-06-07 11:35 69,632 --a------ C:\WINDOWS\system32\bcmwlpkt.dll
2007-06-07 11:35 44,032 --a------ C:\WINDOWS\system32\wltrynt.dll
2007-06-07 11:35 33,664 --a------ C:\WINDOWS\system32\drivers\BCMWLNPF.SYS
2007-06-07 11:35 253,952 --a------ C:\WINDOWS\system32\bcmwlu00.exe
2007-06-07 11:35 20,480 --a------ C:\WINDOWS\system32\WLTRYSVC.EXE
2007-06-07 11:35 2,129,920 --a------ C:\WINDOWS\system32\WLBCGCBPRO731.DLL
2007-06-07 11:35 1,392,640 --a------ C:\WINDOWS\system32\WLTRAY.EXE
2007-06-07 11:35 1,253,376 --a------ C:\WINDOWS\system32\BCMWLTRY.EXE
2007-06-07 11:34 <DIR> d-------- C:\dell
2007-06-07 11:13 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2007-06-07 09:50 <DIR> d-------- C:\Temp\VBE
2007-06-07 09:18 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-06 19:03 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Uniblue
2007-06-06 18:33 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Lavasoft
2007-06-06 18:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-06 18:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 18:30 2,580 --a------ C:\WINDOWS\system32\cfxysgqh.exe
2007-06-06 18:27 55,316 --a------ C:\WINDOWS\system32\lcsckfet.dll
2007-06-06 18:19 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007
2007-06-06 18:19 <DIR> d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-06-06 18:18 43 --ahs---- C:\Temp\removalfile.bat
2007-06-06 18:18 <DIR> d-------- C:\WINDOWS\system32\T9QaSQ
2007-06-06 18:18 <DIR> d-------- C:\Program Files\svhost
2007-06-06 18:17 <DIR> d-------- C:\Temp\NI.UWAS7_0001_N91M2703
2007-06-06 18:17 <DIR> d-------- C:\Program Files\poolsv
2007-06-06 18:14 23,040 --a------ C:\Temp\poolsv.exe
2007-06-06 08:44 <DIR> d-------- C:\Temp\TCD3C.tmp
2007-06-05 19:00 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Apple Computer
2007-06-05 18:59 <DIR> d-------- C:\Program Files\iTunes
2007-06-05 18:59 <DIR> d-------- C:\Program Files\iPod
2007-06-05 18:58 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-05 18:58 <DIR> d-------- C:\Program Files\QuickTime
2007-06-05 18:58 <DIR> d-------- C:\Program Files\Apple Software Update
2007-06-05 18:35 <DIR> d-------- C:\Temp\6150715
2007-06-05 09:08 12,302,384 --a------ C:\Temp\widgetsus.exe
2007-06-05 07:50 <DIR> d-------- C:\WINDOWS\system32\cba
2007-06-01 10:34 <DIR> d-------- C:\Temp\TD_80
2007-05-30 09:46 <DIR> d-------- C:\Temp\QuickPlace
2007-05-26 20:04 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-05-25 14:37 24,576 --a------ C:\Temp\efile_util_runner.exe
2007-05-25 14:37 102,400 --a------ C:\Temp\JavaLoader.exe
2007-05-25 13:50 <DIR> d-------- C:\Temp\wz2369
2007-05-25 13:36 <DIR> d-------- C:\Temp\Excel8.0
2007-05-24 20:43 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-05-24 20:43 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-05-24 09:48 <DIR> d-------- C:\Program Files\Common Files\TeamOn
2007-05-23 20:09 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Research In Motion
2007-05-23 20:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-23 20:08 26,368 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2007-05-23 20:07 <DIR> d-------- C:\Program Files\Research In Motion
2007-05-23 20:07 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-05-23 20:03 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-05-23 14:02 43,280 --a------ C:\WINDOWS\system32\lmdimon.dll
2007-05-21 09:29 3,770,945 --a------ C:\WINDOWS\system32\Framepkg.exe
2007-05-19 21:11 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-05-18 08:46 <DIR> d-------- D:\DOCUME~1\e386419\VeriSign
2007-05-17 20:07 331,359 --a------ C:\Temp\GTS Quick Links Tool Plugin.exe
2007-05-17 16:00 <DIR> d-------- C:\Program Files\Common Files\Mercury Interactive
2007-05-17 10:33 <DIR> d-------- D:\DOCUME~1\e386419\SapWorkDir
2007-05-17 09:19 2,169,312 --a----t- C:\Temp\ytb_7.0.4.0_ysp_1.1_pub_us_setup_.exe
2007-05-17 09:19 <DIR> dr-h----- D:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-05-17 09:19 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Yahoo!
2007-05-17 09:19 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-17 09:19 <DIR> d-------- C:\Program Files\Yahoo!
2007-05-17 09:18 <DIR> d-------- C:\QUARANTINE
2007-05-17 09:11 <DIR> d-------- C:\Program Files\GTS Quick Links
2007-05-17 09:09 <DIR> d--h----- C:\Temp\bdtmp
2007-05-17 09:09 <DIR> d-------- C:\Program Files\MSECache
2007-05-16 16:51 491,520 --a------ C:\WINDOWS\system32\ence55.exe
2007-05-16 16:51 491,520 --a------ C:\WINDOWS\system32\_ence55.exe
2007-05-16 16:51 31,744 --a------ C:\WINDOWS\system32\ence55_.sys
2007-05-16 16:45 <DIR> d-------- C:\WINDOWS\pss
2007-05-16 16:44 <DIR> d-------- C:\Program Files\Microsoft Office Communicator
2007-05-16 16:39 2,516 --a------ C:\WINDOWS\system32\drivers\default.bin
2007-05-16 16:39 2,516 --a------ C:\WINDOWS\system32\default.bin
2007-05-16 16:36 2,234,320 --a------ C:\WINDOWS\system32\drivers\fw.sys
2007-05-16 16:36 106,600 --a------ C:\WINDOWS\system32\fwnetcfg.dll
2007-05-16 16:35 671,408 --a------ C:\WINDOWS\system32\drivers\vpn.sys
2007-05-16 16:35 36,400 --a------ C:\WINDOWS\system32\drivers\omdrv.sys
2007-05-16 16:35 32,875 --a------ C:\WINDOWS\system32\ckpginashim.dll
2007-05-16 16:35 24,681 --a------ C:\WINDOWS\system32\ckpNotify.dll
2007-05-16 16:35 24,678 --a------ C:\WINDOWS\system32\vnasc_coinstall.dll
2007-05-16 16:35 17,488 --a------ C:\WINDOWS\system32\drivers\scap.sys
2007-05-16 16:35 109,072 --a------ C:\WINDOWS\system32\drivers\vnasc.sys
2007-05-16 16:35 <DIR> d-------- C:\Program Files\CheckPoint
2007-05-16 16:34 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-05-16 16:34 <DIR> d-------- C:\Temp\CpSelfInstall
2007-05-16 16:32 19,915 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-05-16 16:31 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\HGRA


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 01:54:37 -------- d-----w C:\Program Files\Network Associates
2007-05-17 15:11:18 -------- d-----w C:\Program Files\SWD
2007-05-16 22:35:32 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 22:31:32 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-16 21:54:06 -------- d-----w C:\Program Files\Common Files\Network Associates
2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 00:10:54 499,712 ----a-w C:\WINDOWS\system32\MSVCP71.DLL
2007-03-17 00:10:54 348,160 ----a-w C:\WINDOWS\system32\MSVCR71.DLL
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-03-20 15:39]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 22:12]
{299F6437-6A9E-4193-ABDB-85B2F4D3613C}=C:\WINDOWS\system32\byvww.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 14:33]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-08-13 02:05]
{92A444D2-F945-4dd9-89A1-896A6C2D8D22}=C:\WINDOWS\system32\lcsckfet.dll [2007-06-06 18:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 16:13]
"Reg2Reg2"="C:\Program Files\LANDesk\LDClient\REG2REG2.EXE" [2005-10-20 12:01]
"ShStatEXE"="c:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 09:50]
"e360SysTray"="C:\Program Files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 14:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"IntelAPMClient"="C:\Program Files\LANDesk\LDClient\amclient.exe" [2006-11-20 14:00]
"LANDeskInventoryClient"="C:\Program Files\LANDesk\LDClient\LDIScn32.exe" [2006-01-12 07:08]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2004-12-20 02:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"ERS_Check"="C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe" []
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-01-05 13:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"LAUNCHXI"="" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-28 16:10]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 13:40]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2140148428-718608452-937769972-106196\Scripts\Logon\0\0]
"Script"=\\namerica3.ds.honeywell.com\NETLOGON\LANDesk.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
"C:\Program Files\Microsoft Office Communicator\Communicator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-06 00:58:25 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 16:43:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [976]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 16:44:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-08 16:44

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 16:47, on 2007-06-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
c:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HGRA\HGRA\ServiceMgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\HGRA\HGRA\e360SysTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\xyz.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://itg.honeywell.com/itgnet/hgr/choicepage5.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {299F6437-6A9E-4193-ABDB-85B2F4D3613C} - C:\WINDOWS\system32\byvww.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\lcsckfet.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Reg2Reg2] "C:\Program Files\LANDesk\LDClient\REG2REG2.EXE"
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [e360SysTray] "C:\Program Files\HGRA\HGRA\e360SysTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM:5007 /S=USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM /I=HTTP://USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://communities.honeywell.com/qp2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.t-mobile.com/html/web/client_to...M-PwpClient.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105558117276
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.honeywell.com/pki/VSApps/vspta3.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://199.62.252.104:8080/qcbin/Spider90.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\Software\..\Telephony: DomainName = global.ds.honeywell.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: ence55 - Unknown owner - C:\WINDOWS\system32\ence55.exe
O23 - Service: FiberlinkComm Monitor Service (FiberlinkCommMonitor) - Boingo Wireless, Inc. - C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\HGRA\HGRA\ServiceMgr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#4 tanislynn

tanislynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 08 June 2007 - 06:11 PM

Thanks for your help. It looks like things are better. The only issue now that I see is my clock is in military time and it won't let me change it back to normal. Help?

Thanks,
Tanis

#5 tanislynn

tanislynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 08 June 2007 - 06:12 PM

oops - I spoke too soon. I'm still getting pop ups that are not being blocked by my pop up blockers.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 08 June 2007 - 06:52 PM

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\Temp\msohtml1
C:\Temp\msohtml
C:\Temp\nbptcmbh.dll
C:\WINDOWS\system32\cfxysgqh.exe
C:\WINDOWS\system32\lcsckfet.dll
C:\Temp\removalfile.bat
C:\Temp\poolsv.exe
C:\Temp\TCD3C.tmp
C:\Temp\widgetsus.exe
C:\Temp\efile_util_runner.exe
C:\Temp\JavaLoader.exe
C:\Temp\ytb_7.0.4.0_ysp_1.1_pub_us_setup_.exe

Folders to delete:
D:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\WINDOWS\system32\T9QaSQ
C:\Program Files\svhost
C:\Temp\NI.UWAS7_0001_N91M2703
C:\Program Files\poolsv
C:\Temp\VBE
C:\Temp\6150715
C:\Temp\TD_80
C:\Temp\QuickPlace
C:\Temp\wz2369
C:\Temp\Excel8.0
C:\Temp\bdtmp

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Posted Image
Posted Image

#7 tanislynn

tanislynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 08 June 2007 - 07:09 PM

ok, I ran avenger again, but again the txt file was blank.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 08 June 2007 - 07:22 PM

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.

Posted Image
Posted Image

#9 tanislynn

tanislynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 08 June 2007 - 08:02 PM

here are the two scans:

ComboFix 07-06-09.1 - D:\Documents and Settings\e386419\Desktop\virus scan stuff\ComboFix.exe
"e386419" - 2007-06-08 18:53:11 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-08 16:39 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 16:33 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-06-08 16:19 <DIR> d-------- C:\VundoFix Backups
2007-06-08 16:16 0 --a------ C:\backup.reg
2007-06-08 16:12 126,976 --a------ C:\zip.exe
2007-06-07 11:35 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2007-06-07 11:35 86,016 --a------ C:\WINDOWS\system32\preflib.dll
2007-06-07 11:35 757,760 --a------ C:\WINDOWS\system32\bcm1xsup.dll
2007-06-07 11:35 69,632 --a------ C:\WINDOWS\system32\bcmwlpkt.dll
2007-06-07 11:35 44,032 --a------ C:\WINDOWS\system32\wltrynt.dll
2007-06-07 11:35 33,664 --a------ C:\WINDOWS\system32\drivers\BCMWLNPF.SYS
2007-06-07 11:35 253,952 --a------ C:\WINDOWS\system32\bcmwlu00.exe
2007-06-07 11:35 20,480 --a------ C:\WINDOWS\system32\WLTRYSVC.EXE
2007-06-07 11:35 2,129,920 --a------ C:\WINDOWS\system32\WLBCGCBPRO731.DLL
2007-06-07 11:35 1,392,640 --a------ C:\WINDOWS\system32\WLTRAY.EXE
2007-06-07 11:35 1,253,376 --a------ C:\WINDOWS\system32\BCMWLTRY.EXE
2007-06-07 11:34 <DIR> d-------- C:\dell
2007-06-07 11:13 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2007-06-07 09:18 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-06 19:03 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Uniblue
2007-06-06 18:33 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Lavasoft
2007-06-06 18:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-06 18:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-05 19:00 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Apple Computer
2007-06-05 18:59 <DIR> d-------- C:\Program Files\iTunes
2007-06-05 18:59 <DIR> d-------- C:\Program Files\iPod
2007-06-05 18:58 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-05 18:58 <DIR> d-------- C:\Program Files\QuickTime
2007-06-05 18:58 <DIR> d-------- C:\Program Files\Apple Software Update
2007-06-05 07:50 <DIR> d-------- C:\WINDOWS\system32\cba
2007-05-26 20:04 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-05-24 20:43 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-05-24 20:43 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-05-24 09:48 <DIR> d-------- C:\Program Files\Common Files\TeamOn
2007-05-23 20:09 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Research In Motion
2007-05-23 20:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-23 20:08 26,368 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2007-05-23 20:07 <DIR> d-------- C:\Program Files\Research In Motion
2007-05-23 20:07 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-05-23 20:03 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-05-23 14:02 43,280 --a------ C:\WINDOWS\system32\lmdimon.dll
2007-05-21 09:29 3,770,945 --a------ C:\WINDOWS\system32\Framepkg.exe
2007-05-19 21:11 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-05-18 08:46 <DIR> d-------- D:\DOCUME~1\e386419\VeriSign
2007-05-17 16:00 <DIR> d-------- C:\Program Files\Common Files\Mercury Interactive
2007-05-17 10:33 <DIR> d-------- D:\DOCUME~1\e386419\SapWorkDir
2007-05-17 09:19 <DIR> dr-h----- D:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-05-17 09:19 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Yahoo!
2007-05-17 09:19 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-17 09:19 <DIR> d-------- C:\Program Files\Yahoo!
2007-05-17 09:18 <DIR> d-------- C:\QUARANTINE
2007-05-17 09:11 <DIR> d-------- C:\Program Files\GTS Quick Links
2007-05-17 09:09 <DIR> d-------- C:\Program Files\MSECache
2007-05-16 16:51 491,520 --a------ C:\WINDOWS\system32\ence55.exe
2007-05-16 16:51 491,520 --a------ C:\WINDOWS\system32\_ence55.exe
2007-05-16 16:51 31,744 --a------ C:\WINDOWS\system32\ence55_.sys
2007-05-16 16:45 <DIR> d-------- C:\WINDOWS\pss
2007-05-16 16:44 <DIR> d-------- C:\Program Files\Microsoft Office Communicator
2007-05-16 16:39 2,516 --a------ C:\WINDOWS\system32\drivers\default.bin
2007-05-16 16:39 2,516 --a------ C:\WINDOWS\system32\default.bin
2007-05-16 16:36 2,234,320 --a------ C:\WINDOWS\system32\drivers\fw.sys
2007-05-16 16:36 106,600 --a------ C:\WINDOWS\system32\fwnetcfg.dll
2007-05-16 16:35 671,408 --a------ C:\WINDOWS\system32\drivers\vpn.sys
2007-05-16 16:35 36,400 --a------ C:\WINDOWS\system32\drivers\omdrv.sys
2007-05-16 16:35 32,875 --a------ C:\WINDOWS\system32\ckpginashim.dll
2007-05-16 16:35 24,681 --a------ C:\WINDOWS\system32\ckpNotify.dll
2007-05-16 16:35 24,678 --a------ C:\WINDOWS\system32\vnasc_coinstall.dll
2007-05-16 16:35 17,488 --a------ C:\WINDOWS\system32\drivers\scap.sys
2007-05-16 16:35 109,072 --a------ C:\WINDOWS\system32\drivers\vnasc.sys
2007-05-16 16:35 <DIR> d-------- C:\Program Files\CheckPoint
2007-05-16 16:34 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-05-16 16:32 19,915 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-05-16 16:31 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\HGRA
2007-05-16 16:31 <DIR> d-------- C:\Program Files\HGRA
2007-05-16 16:29 <DIR> d-------- C:\Program Files\Common Files\Fiberlink
2007-05-16 16:29 <DIR> d-------- C:\Program Files\BigFix Enterprise
2007-05-16 16:28 95,744 --a------ C:\WINDOWS\system32\h5rtf32.dll
2007-05-16 16:28 640,512 --a------ C:\WINDOWS\system32\oc30.dll
2007-05-16 16:28 57,431 --a------ C:\WINDOWS\system32\sapregsv.exe
2007-05-16 16:28 533,504 --a------ C:\WINDOWS\system32\vtssdl32.dll
2007-05-16 16:28 51,712 --a------ C:\WINDOWS\system32\ole2prox.dll
2007-05-16 16:28 51,200 --a------ C:\WINDOWS\system32\h5tool32.dll
2007-05-16 16:28 5,287,936 --a------ C:\WINDOWS\system32\librfc32.dll
2007-05-16 16:28 188,928 --a------ C:\WINDOWS\system32\h5icon32.dll
2007-05-16 16:28 175,616 --a------ C:\WINDOWS\system32\h5menu32.dll
2007-05-16 16:28 15,872 --a------ C:\WINDOWS\system32\vtssm32.dll
2007-05-16 16:28 133,904 --a------ C:\WINDOWS\system32\mfcans32.dll
2007-05-16 16:28 114,688 --a------ C:\WINDOWS\system32\h5dlg32.dll
2007-05-16 16:28 1,646,592 --a------ C:\WINDOWS\system32\SAPbtmp.dll
2007-05-16 16:28 1,064,960 --a------ C:\WINDOWS\system32\h5krnl32.dll
2007-05-16 16:28 <DIR> d-------- C:\Program Files\SAP
2007-05-16 16:28 <DIR> d-------- C:\Program Files\Common Files\SAP Shared
2007-05-16 16:27 153,600 --a------ C:\WINDOWS\system32\tlbinf32.dll
2007-05-16 16:27 <DIR> d--h----- C:\WINDOWS\SAPwksta
2007-05-16 16:21 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-05-16 16:21 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\Sonic
2007-05-16 16:20 4,718,592 --ah----- D:\DOCUME~1\e386419\NTUSER.DAT
2007-05-16 16:20 <DIR> d---s---- D:\DOCUME~1\e386419\UserData
2007-05-16 16:20 <DIR> d-------- D:\DOCUME~1\e386419\WINDOWS
2007-05-16 16:20 <DIR> d-------- D:\DOCUME~1\e386419\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 01:54:37 -------- d-----w C:\Program Files\Network Associates
2007-05-17 15:11:18 -------- d-----w C:\Program Files\SWD
2007-05-16 22:35:32 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 22:31:32 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-16 21:54:06 -------- d-----w C:\Program Files\Common Files\Network Associates
2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 00:10:54 499,712 ----a-w C:\WINDOWS\system32\MSVCP71.DLL
2007-03-17 00:10:54 348,160 ----a-w C:\WINDOWS\system32\MSVCR71.DLL


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-03-20 15:39]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 22:12]
{299F6437-6A9E-4193-ABDB-85B2F4D3613C}=C:\WINDOWS\system32\byvww.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 14:33]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-08-13 02:05]
{92A444D2-F945-4dd9-89A1-896A6C2D8D22}=C:\WINDOWS\system32\lcsckfet.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 16:13]
"Reg2Reg2"="C:\Program Files\LANDesk\LDClient\REG2REG2.EXE" [2005-10-20 12:01]
"ShStatEXE"="c:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 09:50]
"e360SysTray"="C:\Program Files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 14:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"IntelAPMClient"="C:\Program Files\LANDesk\LDClient\amclient.exe" [2006-11-20 14:00]
"LANDeskInventoryClient"="C:\Program Files\LANDesk\LDClient\LDIScn32.exe" [2006-01-12 07:08]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2004-12-20 02:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"ERS_Check"="C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe" []
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-01-05 13:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"LAUNCHXI"="" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-28 16:10]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 13:40]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2140148428-718608452-937769972-106196\Scripts\Logon\0\0]
"Script"=\\namerica3.ds.honeywell.com\NETLOGON\LANDesk.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
"C:\Program Files\Microsoft Office Communicator\Communicator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-06 00:58:25 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 18:54:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [820]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 18:55:25
C:\ComboFix-quarantined-files.txt ... 2007-06-08 18:55
C:\ComboFix2.txt ... 2007-06-08 16:44

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 18:56, on 2007-06-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
c:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HGRA\HGRA\ServiceMgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\HGRA\HGRA\e360SysTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\xyz.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://itg.honeywell.com/itgnet/hgr/choicepage5.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {299F6437-6A9E-4193-ABDB-85B2F4D3613C} - C:\WINDOWS\system32\byvww.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\lcsckfet.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Reg2Reg2] "C:\Program Files\LANDesk\LDClient\REG2REG2.EXE"
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [e360SysTray] "C:\Program Files\HGRA\HGRA\e360SysTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM:5007 /S=USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM /I=HTTP://USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://communities.honeywell.com/qp2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.t-mobile.com/html/web/client_to...M-PwpClient.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105558117276
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.honeywell.com/pki/VSApps/vspta3.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://199.62.252.104:8080/qcbin/Spider90.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\Software\..\Telephony: DomainName = global.ds.honeywell.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: ence55 - Unknown owner - C:\WINDOWS\system32\ence55.exe
O23 - Service: FiberlinkComm Monitor Service (FiberlinkCommMonitor) - Boingo Wireless, Inc. - C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\HGRA\HGRA\ServiceMgr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 08 June 2007 - 08:15 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {299F6437-6A9E-4193-ABDB-85B2F4D3613C} - C:\WINDOWS\system32\byvww.dll (file missing)
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\lcsckfet.dll (file missing)
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe"
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

Exit Hijackthis.

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#11 tanislynn

tanislynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 08 June 2007 - 09:22 PM

Thanks for all your help. Here is my hijackthis log. The only issue I seem to be having at this point is my clock being in the 24 hour format instead of the 12 hour. How can I change that?

Logfile of HijackThis v1.99.1
Scan saved at 20:16, on 2007-06-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\LANDesk\Shared Files\alert.exe
c:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HGRA\HGRA\ServiceMgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\HGRA\HGRA\e360SysTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\xyz.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://itg.honeywell.com/itgnet/hgr/choicepage5.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Reg2Reg2] "C:\Program Files\LANDesk\LDClient\REG2REG2.EXE"
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [e360SysTray] "C:\Program Files\HGRA\HGRA\e360SysTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM:5007 /S=USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM /I=HTTP://USLDCOAZ1802.GLOBAL.DS.HONEYWELL.COM/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://communities.honeywell.com/qp2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.t-mobile.com/html/web/client_to...M-PwpClient.cab
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105558117276
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.honeywell.com/pki/VSApps/vspta3.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://199.62.252.104:8080/qcbin/Spider90.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\Software\..\Telephony: DomainName = global.ds.honeywell.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: ence55 - Unknown owner - C:\WINDOWS\system32\ence55.exe
O23 - Service: FiberlinkComm Monitor Service (FiberlinkCommMonitor) - Boingo Wireless, Inc. - C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\HGRA\HGRA\ServiceMgr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 09 June 2007 - 03:12 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
Avenger
VundoFix.exe
Combofix

C:\VundoFix Backups
C:\QooBox
C:\Avenger

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

The only issue I seem to be having at this point is my clock being in the 24 hour format instead of the 12 hour. How can I change that?

Click on Start/Control Panel/Regional and Language Options.
Click on the 'Regional Options' tab,then click on the 'Customize' button.
Once in the 'Customize Regional Options' click on the 'Time' tab.
There you can change the time format to either of the following:

* Change Time format to HH:mm:ss for a 24-hour clock.
* Change Time format to hh:mm:ss tt for a 12-hour clock.

Press Apply/Ok when you've finished.
You may have to restart your pc.

Edited by RichieUK, 09 June 2007 - 06:23 AM.

Posted Image
Posted Image

#13 tanislynn

tanislynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 11 June 2007 - 11:59 AM

Thank you so much for all your help. I greatly appreciate it!

Tanis

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 11 June 2007 - 12:23 PM

You're most welcome Tanis :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users