Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo-ndrv On A Server


  • This topic is locked This topic is locked
8 replies to this topic

#1 rebar

rebar

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 07 July 2007 - 07:01 PM

Hi all,

We have a computer running XP Pro tied to a server running MS Small Biz Server. Historically, we ran sever-pushed Symantec antivirus and would run Spybot from time-to-time for general housekeeping. Several weeks back while googling some a download commenced that couldn't be stopped and the computer was crash-stopped by killing the power. Unfortunately, Outerinfo-NDriv.exe and several other random numbered exes had obtained sufficient toe-hold to launch on the next boot. Symantec swats down the exe files, but each time they make a new Outerinfo folder (we delete the old ones) and put a new randomed named dll in the %root\Windows\system32 folder. An odd thing about the dll is the last item in the new registry key that points at it always starts 8F8DCB.

The problems are linked to one individual's account. Administrator can sign on that person's computer and not have problems with malware launching. Is it reasonable to assume that there are some contaminated files in that person's profile over on the server? We're chemists and know just enough about computers to be dangerous. This is a nuisance, not an emergency. Our anti-virus software swats down NDrv.exe or the others whenever they launch. And we can sweep the maldlls and the Outerinfo files as well. So knowing that you folks can get slammed a bit, we can be pushed to back of the surgical triage without problem.

Thanks in advance for any help you can provide,

rebar

BTW, the log that follows has the network domain edited.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:22 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\cisvc.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\db\slserver54\bin\swagent.exe
C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
C:\CFusionMX7\db\slserver54\bin\swsoc.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\DOCUME~1\JACKTI~1\APPLIC~1\CROSOF~1\userinit.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\downloads\tuneupadvisor\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [PPort9reminder] "C:\Program Files\ScanSoft\PaperPort\WebEreg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application

Data\ScanSoft\PaperPort\9\Config\ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Usso] "C:\DOCUME~1\JACKTI~1\APPLIC~1\YMBOLS~1\ntvdm.exe" -vt yazb
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Uset] "C:\DOCUME~1\JACKTI~1\APPLIC~1\CROSOF~1\userinit.exe" -vt yazb
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...b?1182017548171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftu...b?1182710459364
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain
O17 - HKLM\Software\..\Telephony: DomainName = domain
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11273 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 AM

Posted 18 July 2007 - 12:34 AM

Hello,

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rebar

rebar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 18 July 2007 - 10:57 AM

Hallo Miekiemoes,

Thank you for your reply. As you requested, below are the two logs. We had been able to reduce the problem from launching on each log-in/reboot by brute force of Spyware Doctor, XoftSpySE, Ad-Aware, Spybot, Uniblue's PowerSuite and a couple of others. Before running Combofix I disabled Uniblue and Spyware TSRs using msconfig and followed your download instructions to put the temp disable on TeaTimer. Combofix ran like a champ even through the network log-out & in. Seems Combo found some more nasties beyond what the commercial malware-spyware detectors found. Thank you very much on that!!

Dankzegging,

rebar

BTW, the WrapText is not checked in notepad - these are cut & pastes that don't show any wrapping on my screen. That said, some of our paths are long so the files are also attached.

ComboFix.txt:
"jackti~" - 2007-07-18 7:59:50 - ComboFix 07-07-17.8 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


\\Henri\Home$\JACKTI~1.\mbols~1
\\Henri\Home$\JACKTI~1.\mbols~1\mmc.exe
\\Henri\Home$\JACKTI~1.\sembly~1
\\Henri\Home$\JACKTI~1.\sembly~1\tracert.exe
\\Henri\Home$\JACKTI~1.\ymante~1
C:\DOCUME~1\JACKTI~1\APPLIC~1.\crosof~1
C:\DOCUME~1\JACKTI~1\APPLIC~1.\sks~1
C:\DOCUME~1\JACKTI~1\APPLIC~1.\sstem3~1
C:\DOCUME~1\JACKTI~1\APPLIC~1.\ymbols~1
C:\DOCUME~1\JACKTI~1\APPLIC~1.\ymbols~1\ntvdm.exe
C:\Program Files\Common Files\icroso~1
C:\Program Files\mcroso~1.net
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\tmp42.tmp
C:\WINDOWS\system32\tmp43.tmp
C:\WINDOWS\system32\tsks~1


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))


2007-07-18 08:03 <DIR> d-------- C:\DOCUME~1\JACKTI~1\APPLIC~1\s?stem32
2007-07-18 08:03 <DIR> d-------- C:\DOCUME~1\JACKTI~1\APPLIC~1\?ymbols
2007-07-18 08:03 <DIR> d-------- C:\DOCUME~1\JACKTI~1\APPLIC~1\??sks
2007-07-18 07:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 18:32 <DIR> d-------- C:\Program Files\SysInternals
2007-07-14 17:12 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-14 16:46 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-07-14 16:46 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-14 16:46 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-07-14 16:46 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-07-14 16:46 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-07-14 16:46 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-07-14 16:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-14 16:46 <DIR> d-------- C:\DOCUME~1\JACKTI~1\APPLIC~1\PC Tools
2007-07-13 16:13 <DIR> d-------- C:\Personal
2007-07-08 17:58 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-07-08 15:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-08 15:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-08 15:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 15:45 <DIR> d-------- C:\HiJackThis
2007-07-07 10:43 <DIR> d-------- C:\Program Files\XoftSpySE
2007-07-07 09:33 <DIR> d-------- C:\Program Files\RegCure
2007-07-03 11:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1.DOU\APPLIC~1\Uniblue
2007-07-03 11:34 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1.DOU\ntuser.dat
2007-07-03 11:34 <DIR> d-------- C:\Program Files\Microsoft Windows Small Business Server
2007-07-03 11:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1.DOU\APPLIC~1\Windows Desktop Search
2007-07-03 11:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1.DOU\APPLIC~1\Real
2007-07-03 11:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1.DOU\APPLIC~1\Ontrack
2007-07-02 18:28 92,160 --a------ C:\WINDOWS\system32\evntwin.exe
2007-07-02 18:28 8,704 --a------ C:\WINDOWS\system32\snmptrap.exe
2007-07-02 18:28 6,144 --a------ C:\WINDOWS\system32\snmpmib.dll
2007-07-02 18:28 39,936 --a------ C:\WINDOWS\system32\hostmib.dll
2007-07-02 18:28 35,328 --a------ C:\WINDOWS\system32\iprip.dll
2007-07-02 18:28 33,792 --a------ C:\WINDOWS\system32\lmmib2.dll
2007-07-02 18:28 33,280 --a------ C:\WINDOWS\system32\snmp.exe
2007-07-02 18:28 24,064 --a------ C:\WINDOWS\system32\evntcmd.exe
2007-07-02 18:28 22,528 --a------ C:\WINDOWS\system32\lpdsvc.dll
2007-07-02 18:28 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2007-07-02 18:28 18,944 --a------ C:\WINDOWS\system32\lprmon.dll
2007-07-02 18:28 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2007-07-02 14:24 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-02 08:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-07-02 08:30 <DIR> d-------- C:\Program Files\Uniblue
2007-07-02 07:46 <DIR> d-------- C:\Junk
2007-06-27 18:10 <DIR> d-------- C:\Program Files\Microangelo Toolset 6
2007-06-27 17:56 <DIR> d-------- C:\DOCUME~1\JACKTI~1\APPLIC~1\Opera
2007-06-26 17:26 <DIR> d-------- C:\BrCollectDir
2007-06-26 16:15 <DIR> d-------- C:\DOCUME~1\JACKTI~1\APPLIC~1\ScanSoft
2007-06-26 15:47 176,128 --------- C:\WINDOWS\system32\BrfxDA5a.dll
2007-06-26 15:33 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-26 15:33 <DIR> d-------- C:\WINDOWS\pixtran
2007-06-26 15:31 <DIR> d-------- C:\Program Files\Common Files\Caere
2007-06-26 15:31 <DIR> d-------- C:\Program Files\Caere
2007-06-26 13:56 23,040 --a------ C:\WINDOWS\system32\xrxwbtmp.dll
2007-06-26 13:56 17,408 --a------ C:\WINDOWS\system32\xrxscnui.dll
2007-06-26 13:56 116,224 --a------ C:\WINDOWS\system32\xrxwiadr.dll
2007-06-26 13:56 <DIR> d-------- C:\DOCUME~1\JACKTI~1\APPLIC~1\Xerox
2007-06-26 13:42 <DIR> d-------- C:\WINDOWS\Twain
2007-06-26 13:23 86,016 --------- C:\WINDOWS\system32\Epfb5cpl.dll
2007-06-26 13:23 77,824 --------- C:\WINDOWS\system32\Esintpl.dll
2007-06-26 13:23 65,536 --------- C:\WINDOWS\system32\epcomdd.dll
2007-06-26 13:23 53,248 --------- C:\WINDOWS\system32\ESICM.dll
2007-06-26 13:23 47,104 --a------ C:\WINDOWS\system32\escimgn.dll
2007-06-26 13:23 47,104 --------- C:\WINDOWS\system32\escimgd.dll
2007-06-26 13:23 36,352 --a------ C:\WINDOWS\system32\escwian.dll
2007-06-26 13:23 33,280 --------- C:\WINDOWS\system32\esccm.dll
2007-06-26 13:23 32,256 --------- C:\WINDOWS\system32\escwiab.dll
2007-06-26 13:23 31,744 --------- C:\WINDOWS\system32\escwiad.dll
2007-06-26 13:23 27,648 --------- C:\WINDOWS\system32\escimg.dll
2007-06-26 13:23 24,064 --a------ C:\WINDOWS\system32\esccmn.dll
2007-06-26 13:23 22,528 --------- C:\WINDOWS\system32\esccmd.dll
2007-06-26 13:23 172,032 --------- C:\WINDOWS\system32\ESDTR.dll
2007-06-26 13:23 <DIR> d-------- C:\EPSON
2007-06-26 12:13 671 --a------ C:\WINDOWS\mozver.dat
2007-06-25 17:34 <DIR> d-------- C:\Program Files\QuickTime
2007-06-25 17:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-25 14:23 <DIR> dr------- C:\DOCUME~1\JACKTI~1\APPLIC~1\Brother
2007-06-25 14:09 77,824 --a------ C:\WINDOWS\system32\BRLMW03A.DLL
2007-06-25 14:09 69,632 --a------ C:\WINDOWS\system32\BRRBTOOL.EXE
2007-06-25 14:09 65 --a------ C:\WINDOWS\system32\BD8660DN.DAT
2007-06-25 14:09 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-06-25 14:09 52,224 --------- C:\WINDOWS\system32\brinsstr.dll
2007-06-25 14:09 45,056 --a------ C:\WINDOWS\system32\BRTCPCON.DLL
2007-06-25 14:09 24,223 --a------ C:\WINDOWS\system32\BRLM03A.DLL
2007-06-25 14:09 118,784 --a------ C:\WINDOWS\system32\BROSNMP.DLL
2007-06-25 14:08 86,016 --------- C:\WINDOWS\system32\BrWebIns.dll
2007-06-25 14:08 69,632 --------- C:\WINDOWS\system32\BRWEBUP.EXE
2007-06-25 14:08 54,784 --------- C:\WINDOWS\system32\BrNetSti.dll
2007-06-25 14:08 53,248 --------- C:\WINDOWS\system32\BrMfNt.dll
2007-06-25 14:08 34,816 --------- C:\WINDOWS\system32\BrWiaNCp.dll
2007-06-25 14:08 33,280 --------- C:\WINDOWS\system32\Brnsplg.dll
2007-06-25 14:08 188,416 --------- C:\WINDOWS\system32\PDRVINST.DLL
2007-06-25 14:08 163,840 --------- C:\WINDOWS\system32\NSSearch.dll
2007-06-25 14:08 147,456 --a------ C:\WINDOWS\brunin03.dll
2007-06-25 14:08 126,976 --------- C:\WINDOWS\system32\BrfxD05a.dll
2007-06-25 14:08 106,496 --------- C:\WINDOWS\system32\BrMuSNMP.dll
2007-06-25 14:08 1,491,456 --a------ C:\WINDOWS\system32\BrWia05c.dll
2007-06-25 14:08 0 --a------ C:\WINDOWS\brdfxspd.dat
2007-06-25 14:08 <DIR> d-------- C:\Program Files\Brother
2007-06-25 14:08 <DIR> d-------- C:\Brother


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 23:29:22 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-25 21:08:59 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-24 21:27:59 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-06-21 18:09:49 -------- d-----w C:\DOCUME~1\JACKTI~1\APPLIC~1\??sks
2007-06-16 18:20:09 -------- d-----w C:\Program Files\Common Files\Ahead
2007-06-16 18:13:50 -------- d-----w C:\Program Files\Nero
2007-06-16 18:02:11 -------- d-----w C:\Program Files\InterVideo
2007-06-16 18:01:59 -------- d-----w C:\Program Files\Common Files\InterVideo
2007-06-16 00:42:52 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-06-16 00:42:52 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-06-16 00:36:58 -------- d-----w C:\Program Files\Creative
2007-06-16 00:28:15 -------- d--h--w C:\Program Files\Creative Installation Information
2007-06-16 00:28:15 -------- d-----w C:\Program Files\Common Files\Creative
2007-06-15 21:17:02 -------- d-----w C:\Program Files\MSXML 4.0
2007-06-15 21:09:27 -------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2007-06-15 21:07:44 -------- d-----w C:\Program Files\Messenger
2007-06-15 21:04:26 -------- d-----w C:\Program Files\MSXML 6.0
2007-06-15 21:04:23 -------- d-----w C:\Program Files\Windows Journal Viewer
2007-06-15 20:24:48 -------- d-----w C:\Program Files\microsoft frontpage
2007-06-15 20:24:32 0 --sha-r C:\MSDOS.SYS
2007-06-15 20:24:32 0 --sha-r C:\IO.SYS
2007-06-15 20:24:32 0 ----a-w C:\CONFIG.SYS
2007-06-15 20:24:32 0 ----a-w C:\AUTOEXEC.BAT
2007-06-15 20:23:57 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-15 20:23:16 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-06-15 20:23:09 -------- d-----w C:\Program Files\Movie Maker
2007-06-15 20:22:38 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-06-15 20:22:35 -------- d-----w C:\Program Files\Online Services
2007-06-15 20:22:30 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-15 20:22:23 -------- d-----w C:\Program Files\Windows NT
2007-06-15 18:05:39 -------- d-----w C:\DOCUME~1\JACKTI~1\APPLIC~1\?ymbols
2007-06-15 13:17:42 -------- d-----w C:\Program Files\Common Files\ODBC
2007-06-15 13:17:39 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
1997-07-22 02:30:54 1,045,776 --sha-w C:\WINDOWS\system32\Msjet35.dll
1997-06-23 10:00:00 123,664 --sha-w C:\WINDOWS\system32\Msjint35.dll
1997-06-23 19:06:50 24,848 --sha-w C:\WINDOWS\system32\Msjter35.dll
1997-06-23 19:06:50 252,176 --sha-w C:\WINDOWS\system32\Msrd2x35.dll
1997-06-23 19:06:50 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2007-05-10 22:47 321120 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-12-21 11:29 C:\WINDOWS\system32\nwiz.exe]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-09-15 10:43]
"P17Helper"="SPIRun.dll" [2006-07-03 12:43 C:\WINDOWS\system32\SPIRun.dll]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"@"="" []
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2002-07-30 11:35]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 18:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 13:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]
"updateMgr"="D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-06-20 14:22]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-21 08:53:56]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-06-16 11:02:14]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoAutoTrayNotify"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoSMHelp"=1 (0x1)
"DisablePersonalDirChange"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


Contents of the 'Scheduled Tasks' folder
2007-07-18 09:02:21 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-18 15:04:03 C:\WINDOWS\tasks\RegCure Program Check.job
2007-07-12 12:54:49 C:\WINDOWS\tasks\RegCure.job
2007-07-15 02:44:41 C:\WINDOWS\tasks\Uniblue SpyEraser.job
2007-07-18 15:04:03 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-17 12:45:10 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 08:04:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ColdFusion MX 7 Search Server]
"ImagePath"="\"C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe\" -cfg \"C:\CFusionMX7\verity\k2\common\verity.cfg\" -ntstart 1"

Completion time: 2007-07-18 8:05:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-18 08:05

--- E O F ---

hijackthis.log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:06 AM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\db\slserver54\bin\swagent.exe
C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
C:\CFusionMX7\db\slserver54\bin\swsoc.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182017548171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182710459364
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domainname
O17 - HKLM\Software\..\Telephony: DomainName = domainname
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domainname
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domainname
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 11227 bytes

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 AM

Posted 18 July 2007 - 01:18 PM

Hi,

I don't really like Xoftspy, but that's my personal opinion.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Navigate to the following folder:

C:\Documents and Settings\jackti~\Application Data

In there, you should find the following folders:

s?stem32 <== may look like System32
?ymbols <== may look like symbols
??sks <== may look like tasks

Delete these folders.

Do NOT try to delete the C:\Windows\system32-folder, the C:\Windows\tasks folder and the C:\Windows\symbols folder as they are legit!

Also delete the C:\Qoobox - folder

Let me know in your next reply how things are now...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 rebar

rebar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 18 July 2007 - 02:23 PM

Hi,

As requested deleted the folders system32, symbols & tasks from C:\Documents and Settings\jackti~\Application Data and the Qoobox folder from the C: drive. The sys32 & tasks folders were empty. The symbols folder had an empty symbols folder and a non-MS signed, author unknown 71KB copy of ntvdm.exe (a MS signed, version 5.1.2600.2180, 410 KM copy lives over in C:\windows\system32).

After the deletions, I logged-off & rebooted. Checked C:\Documents and Settings\jackti~\Application Data and the three folders were back exactly as before with the same date/times as before (back in june). This trio of folders also exists in my profile over on the server. In theory we can sign-in on any computer in the network, so a copy of docs&settings\jackti~\App Data exists on the server as well as "my" computer. Should I disable the spywares and try running ComboFix again?

Thanks!

rebar

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 AM

Posted 18 July 2007 - 02:35 PM

This trio of folders also exists in my profile over on the server

Delete them there as well...
They were the only bad folders remaining and since you could delete it without any problem, this means that it is not active. So if they are present again after reboot, it's because they are also present in your profile over on the server.
So no need to run Combofix since the only ones it will display are these folders again.

edit, I really hope you don't delete anything present in your Windows or System32- folder. The bad folders are in your C:\Documents and Settings\jackti~\Application Data folder.

Edited by miekiemoes, 18 July 2007 - 02:36 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 rebar

rebar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 18 July 2007 - 02:51 PM

Hazah! Deleted the trio from Docs & Settings on both My Computer and the server. Did a reboot & logon and the three folders remained deleted. Are we completed on this?

rebar

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 AM

Posted 19 July 2007 - 12:25 AM

Are we completed on this?

Yes, you should be OK here. :thumbsup:

Just perform an extra scan with your Antivirus and Antispyware to get rid of the leftovers if still present.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 AM

Posted 28 July 2007 - 05:24 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users