Jump to content

ijnoj09

Members
  • Posts

    8
  • Joined

  • Last visited

Reputation

0 Neutral
  1. System seems to be running ok... here is the latest combofix log. ComboFix 09-04-20.02 - jpascua 04/19/2009 14:01.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1222 [GMT -7:00] Running from: c:\documents and settings\jpascua\Desktop\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((( SnapShot@2009-04-19_02.27.21 ))))))))))))))))))))))))))))))))))))))))) . + 2009-04-19 21:10 . 2009-04-19 21:10 16384 c:\windows\Temp\Perflib_Perfdata_774.dat + 2009-04-19 16:37 . 2009-04-19 16:37 16384 c:\windows\Temp\Perflib_Perfdata_730.dat + 2009-04-19 21:10 . 2009-04-19 21:10 16384 c:\windows\Temp\Perflib_Perfdata_624.dat + 2009-04-19 05:01 . 2009-04-19 05:00 148888 c:\windows\system32\javaws.exe + 2009-04-19 05:01 . 2009-04-19 05:00 144792 c:\windows\system32\javaw.exe + 2009-04-19 05:01 . 2009-04-19 05:00 144792 c:\windows\system32\java.exe + 2009-03-18 15:05 . 2009-04-19 21:12 280910 c:\windows\system32\inetsrv\MetaBase.bin + 2009-04-19 05:01 . 2009-04-19 05:00 410984 c:\windows\system32\deploytk.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Spark"="c:\program files\Spark\Spark.exe" [2007-09-18 434176] "i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-19 148888] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1278574195-1621184904-620655208-2953\Scripts\Logon\0\0] "Script"=audit.bat [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1139458397\\ee\\aolsoftware.exe"= "c:\\Program Files\\Common Files\\AOL\\1139458397\\ee\\aim6.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\NetScreen\\NetScreen-Remote\\Vpn.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-10 951632] R3 MSSEARCH;Microsoft Search;c:\program files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe [2004-10-13 69632] R3 MSSQL$SQLSERVER2005;SQL Server (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-06-24 124608] R3 SQLAgent$SQLSERVER2005;SQL Server Agent (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2008-11-25 346976] R4 MSSQLFDLauncher$SQLEXPRESS;SQL Full-text Filter Daemon Launcher (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [2008-07-10 31256] R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-08-11 47128] R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000] R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712] R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-08-11 369688] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-25 64160] S0 PQV2i;PQV2i; [x] S1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-02-16 14464] S1 PQIMount;PQIMount; [x] S2 Crypto;Crypto; [x] S2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\Drivers\IPSECDRV.sys [2002-09-30 114232] S2 msftesql$SQLSERVER2005;SQL Server FullText Search (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2007-06-22 95592] S2 RVBD_SH_Mobile_Logger;Riverbed Steelhead Mobile Log Service;c:\program files\Riverbed\Steelhead Mobile\rbtlogger.exe [2008-02-12 380928] S2 RVBD_SH_Mobile_Monitor;Riverbed Steelhead Mobile Monitor Service;c:\program files\Riverbed\Steelhead Mobile\rbtmon.exe [2008-02-12 1884160] S3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\DRIVERS\vapnt.sys [2001-12-15 36188] S3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [2009-03-16 101936] S3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2005-05-31 87936] S3 rbt;RVBD_SH_Mobile_Intercept;c:\progra~1\Riverbed\STEELH~1\rbt.sys [2008-02-12 251392] . Contents of the 'Scheduled Tasks' folder 2009-04-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 05:51] 2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] 2009-04-08 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8231388130.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 08:52] . . ------- Supplementary Scan ------- . uStart Page = hxxp://nellsoncommunity uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} - hxxp://cs2850/crystalreportviewers115/ActiveXControls/PrintControl.cab FF - ProfilePath - c:\documents and settings\jpascua\Application Data\Mozilla\Firefox\Profiles\8nauzjsx.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://webmail.verizon.net/signin/|http://www.latimes.com/|http://www.google.com/ FF - component: c:\documents and settings\jpascua\Application Data\Mozilla\Firefox\Profiles\8nauzjsx.default\extensions\kodak-companion@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll FF - plugin: c:\documents and settings\jpascua\Application Data\Mozilla\Firefox\Profiles\8nauzjsx.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_03050024.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-19 14:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLSERVER2005] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLSERVER2005" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pxscan] "ImagePath"="System32\drivers\pxscan.sys" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pxsec] "ImagePath"="System32\drivers\pxsec.sys" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\
  2. I uninstalled all the old java runtime version and installed the latest one. When I run F-Secure, it says "Clean" in all the file folders it looks in. It proceeds to run in the System Scan and then the window just closes after awhile. PrevX didn't detect anything. Here are the RootRepeal and Eset Logs: Eset Log: # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=4019 (20090418) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=552f79284291c44eb75844db54e8a151 # end=finished # remove_checked=true # unwanted_checked=false # utc_time=2009-04-19 06:42:01 # local_time=2009-04-18 11:42:01 (-0800, Pacific Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=563295 # found=1 # scan_time=5443 C:\Qoobox\Quarantine\C\WINDOWS\system32\ewupanip.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000 RootRepeal Log: ROOTREPEAL © AD, 2007-2008 ================================================== Scan Time: 2009/04/19 09:44 Program Version: Version 1.2.3.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB5754000 Size: 98304 File Visible: No Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBADFA000 Size: 8192 File Visible: No Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB1888000 Size: 45056 File Visible: No Status: - Hidden/Locked Files ------------------- Path: C:\WINDOWS\Temp\Perflib_Perfdata_7d4.dat Status: Allocation size mismatch (API: 16384, Raw: 0) Path: C:\Documents and Settings\jpascua\Local Settings\temp\jusched.log Status: Size mismatch (API: 2302, Raw: 1879) Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090417.007\EraserUtilDrv10910.sys Status: Locked to the Windows API! Path: C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Log\log_112.trc Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Documents and Settings\All Users\Application Data\Riverbed\Steelhead_mobile\log\messages.log Status: Size mismatch (API: 412827, Raw: 412580) SSDT ------------------- #: 031 Function Name: NtConnectPort Status: Hooked by "<unknown>" at address 0x8a620518 #: 041 Function Name: NtCreateKey Status: Hooked by "Lbd.sys" at address 0xba91887e #: 247 Function Name: NtSetValueKey Status: Hooked by "Lbd.sys" at address 0xba918c10 #: 257 Function Name: NtTerminateProcess Status: Hooked by "pxsec.sys" at address 0xba90a680
  3. Here are the logs. Thanks. Avenger Log: Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "c:\windows\sysguard.exe" not found! Deletion of file "c:\windows\sysguard.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\drivers\ati64si.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\ati64si.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\Temp\BN1.tmp" not found! Deletion of file "C:\WINDOWS\Temp\BN1.tmp" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ati64si" not found! Deletion of driver "ati64si" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ati64si.sys" not found! Deletion of driver "ati64si.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Folder "C:\recycler" deleted successfully. Error: could not open folder "D:\recycler" Deletion of folder "D:\recycler" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Folder "e:\recycler" deleted successfully. Error: could not open folder "f:\recycler" Deletion of folder "f:\recycler" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open folder "g:\recycler" Deletion of folder "g:\recycler" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open folder "h:\recycler" Deletion of folder "h:\recycler" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Completed script processing. ******************* Finished! Terminate. Combo Fix Log: ComboFix 09-04-19.01 - jpascua 04/18/2009 19:17.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1321 [GMT -7:00] Running from: c:\documents and settings\jpascua\Desktop\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\jpascua\Application Data\Microsoft\SystemCertificates\Request c:\documents and settings\jpascua\jpascua.exe c:\windows\IE4 Error Log.txt c:\windows\system32\Cache c:\windows\system32\drivers\fad.sys c:\windows\system32\ewupanip.ini . ((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 ))))))))))))))))))))))))))))))) . 2009-04-19 00:51 . 2009-04-19 00:51 -------- d-----w c:\program files\iPod 2009-04-19 00:50 . 2009-04-19 00:51 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-19 00:50 . 2009-04-19 00:51 -------- d-----w c:\program files\iTunes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-19 02:27 . 2006-01-11 17:15 -------- d-----w c:\program files\Symantec AntiVirus 2009-04-19 02:23 . 2009-01-25 16:51 44572 ----a-w C:\aaw7boot.log 2009-04-19 02:04 . 2009-04-19 02:04 4740 ----a-w C:\avenger.txt 2009-04-19 00:51 . 2008-12-01 19:45 -------- d-----w c:\program files\Common Files\Apple 2009-04-18 05:53 . 2006-01-08 06:53 -------- d-----w c:\program files\Trillian 2009-04-17 21:11 . 2008-07-17 01:05 -------- d-----w c:\program files\QUICKENW 2009-04-13 15:24 . 2009-03-19 16:43 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 22:32 . 2009-03-19 16:43 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 22:32 . 2009-03-19 16:43 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-25 03:26 . 2006-01-19 16:30 -------- d-----w c:\program files\Microsoft ActiveSync 2009-03-23 16:54 . 2006-01-08 06:41 -------- d-----w c:\program files\Winamp 2009-03-20 17:43 . 2009-02-11 18:15 -------- d-----w c:\program files\Business Objects 2009-03-20 03:51 . 2009-03-19 04:29 272 ----a-w C:\VundoFix.txt 2009-03-20 01:32 . 2009-03-20 01:32 -------- d-----w c:\documents and settings\Jonji Pascua\Application Data\Malwarebytes 2009-03-19 23:32 . 2005-02-02 09:21 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-19 16:43 . 2009-03-19 16:43 -------- d-----w c:\documents and settings\jpascua\Application Data\Malwarebytes 2009-03-19 16:43 . 2009-03-19 16:43 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-19 00:14 . 2009-03-19 00:14 -------- d-----w c:\program files\Trend Micro 2009-03-18 05:05 . 2009-03-18 04:19 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-18 04:27 . 2009-03-18 04:19 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-03-18 03:23 . 2009-01-08 04:16 488 ----a-w C:\hpfr5550.xml 2009-03-16 03:12 . 2006-01-08 07:14 -------- d-----w c:\documents and settings\Jonji Pascua\Application Data\Apple Computer 2009-03-15 01:02 . 2009-03-15 01:02 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} 2009-03-15 00:59 . 2009-03-15 00:58 -------- d-----w c:\program files\QuickTime 2009-03-12 04:19 . 2006-01-08 07:42 70616 ----a-w c:\documents and settings\Jonji Pascua\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-10 18:24 . 2006-01-19 19:10 70616 ----a-w c:\documents and settings\jpascua\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-10 18:22 . 2009-03-10 18:22 -------- d-----w c:\program files\MSECache 2009-03-08 05:52 . 2009-01-25 06:06 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-03-08 01:24 . 2009-01-04 00:26 -------- d-----w c:\program files\Safari 2009-03-06 06:59 . 2009-03-15 00:55 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-03-06 06:59 . 2008-12-01 19:46 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-05 17:20 . 2006-11-07 18:31 -------- d-----w c:\program files\BatchPhoto 2009-03-05 17:20 . 2006-11-07 18:31 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-03-05 17:15 . 2006-01-23 03:26 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-03-05 17:07 . 2008-11-20 16:56 155000 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-03-05 16:51 . 2009-03-05 16:44 -------- d-----w c:\program files\Microsoft Visual Studio 9.0 2009-03-05 16:50 . 2009-03-05 16:50 -------- d-----w c:\program files\Microsoft SDKs 2009-03-05 16:49 . 2009-03-05 16:49 -------- d-----w c:\program files\Microsoft Synchronization Services 2009-03-05 16:46 . 2006-01-19 18:52 -------- d-----w c:\program files\Microsoft SQL Server 2009-03-05 16:46 . 2009-03-05 16:46 -------- d-----w c:\program files\Microsoft Sync Framework 2009-03-05 16:45 . 2009-03-05 16:45 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition 2009-02-19 15:41 . 2009-02-18 17:10 -------- d-----w c:\program files\Common Files\Motive 2009-02-19 03:58 . 2009-02-19 03:58 -------- d-----w c:\documents and settings\Jonji Pascua\Application Data\Verizon 2009-02-18 17:13 . 2009-02-18 17:13 -------- d-----w c:\documents and settings\jpascua\Application Data\Verizon 2009-02-18 17:13 . 2009-02-18 17:13 -------- d-----w c:\documents and settings\All Users\Application Data\Verizon 2009-02-18 17:12 . 2009-02-18 17:12 -------- d-----w c:\documents and settings\jpascua\Application Data\Motive 2009-02-18 17:10 . 2009-02-18 17:10 -------- d-----w c:\documents and settings\All Users\Application Data\Motive 2009-02-18 17:09 . 2009-02-18 17:09 571 ----a-w C:\NTDClient.log 2009-02-18 16:31 . 2006-02-08 19:43 -------- d-----w c:\documents and settings\jpascua\Application Data\AdobeUM 2009-02-18 16:31 . 2006-01-08 06:58 -------- d-----w c:\program files\Common Files\Adobe 2009-01-20 20:47 . 2009-01-20 20:47 136 ----a-w C:\rbtdump.log 2007-02-10 00:22 . 2007-02-10 00:22 141 ----a-w c:\documents and settings\JONJILAPTOP\ASPNET\Local Settings\Application Data\fusioncache.dat 2006-11-15 15:48 . 2006-11-15 15:48 92064 ----a-w c:\documents and settings\jpascua\mqdmmdm.sys 2006-11-15 15:48 . 2006-11-15 15:48 79328 ----a-w c:\documents and settings\jpascua\mqdmserd.sys 2006-11-15 15:48 . 2006-11-15 15:48 5936 ----a-w c:\documents and settings\jpascua\mqdmwhnt.sys 2006-11-15 15:48 . 2006-11-15 15:48 9232 ----a-w c:\documents and settings\jpascua\mqdmmdfl.sys 2006-11-15 15:48 . 2006-11-15 15:48 66656 ----a-w c:\documents and settings\jpascua\mqdmbus.sys 2006-11-15 15:48 . 2006-11-15 15:48 6208 ----a-w c:\documents and settings\jpascua\mqdmcmnt.sys 2006-11-15 15:48 . 2006-11-15 15:48 4048 ----a-w c:\documents and settings\jpascua\mqdmcr.sys 2006-11-15 15:48 . 2006-04-21 02:11 25600 ----a-w c:\documents and settings\jpascua\usbsermptxp.sys 2006-11-15 15:48 . 2006-04-21 02:11 22768 ----a-w c:\documents and settings\jpascua\usbsermpt.sys 2006-06-26 02:41 . 2006-06-26 02:41 25600 ----a-w c:\documents and settings\Jonji Pascua\usbsermptxp.sys 2006-06-26 02:41 . 2006-06-26 02:41 22768 ----a-w c:\documents and settings\Jonji Pascua\usbsermpt.sys 2006-03-16 19:46 . 2006-03-09 22:56 28672 ----a-w c:\documents and settings\jpascua\atwbxdet.dll 2006-01-23 04:08 . 2006-01-23 04:08 130 ----a-w c:\documents and settings\jpascua\Local Settings\Application Data\fusioncache.dat 2006-01-08 07:42 . 2006-01-08 07:42 135 ----a-w c:\documents and settings\Jonji Pascua\Local Settings\Application Data\fusioncache.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Spark"="c:\program files\Spark\Spark.exe" [2007-09-18 434176] "i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1278574195-1621184904-620655208-2953\Scripts\Logon\0\0] "Script"=audit.bat [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1139458397\\ee\\aolsoftware.exe"= "c:\\Program Files\\Common Files\\AOL\\1139458397\\ee\\aim6.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\NetScreen\\NetScreen-Remote\\Vpn.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 amd64si;amd64si; [x] R2 fips32cup;fips32cup; [x] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-10 951632] R3 MSSEARCH;Microsoft Search;c:\program files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe [2004-10-13 69632] R3 MSSQL$SQLSERVER2005;SQL Server (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-06-24 124608] R3 SQLAgent$SQLSERVER2005;SQL Server Agent (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2008-11-25 346976] R4 MSSQLFDLauncher$SQLEXPRESS;SQL Full-text Filter Daemon Launcher (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [2008-07-10 31256] R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-08-11 47128] R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000] R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712] R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-08-11 369688] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-01-25 64160] S0 PQV2i;PQV2i; [x] S1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-02-16 14464] S1 PQIMount;PQIMount; [x] S2 Crypto;Crypto; [x] S2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\Drivers\IPSECDRV.sys [2002-09-30 114232] S2 msftesql$SQLSERVER2005;SQL Server FullText Search (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2007-06-22 95592] S2 RVBD_SH_Mobile_Logger;Riverbed Steelhead Mobile Log Service;c:\program files\Riverbed\Steelhead Mobile\rbtlogger.exe [2008-02-12 380928] S2 RVBD_SH_Mobile_Monitor;Riverbed Steelhead Mobile Monitor Service;c:\program files\Riverbed\Steelhead Mobile\rbtmon.exe [2008-02-12 1884160] S3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\DRIVERS\vapnt.sys [2001-12-15 36188] S3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [2009-03-16 101936] S3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2005-05-31 87936] S3 rbt;RVBD_SH_Mobile_Intercept;c:\progra~1\Riverbed\STEELH~1\rbt.sys [2008-02-12 251392] . Contents of the 'Scheduled Tasks' folder 2009-04-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 05:51] 2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] 2009-04-08 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8231388130.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 08:52] . - - - - ORPHANS REMOVED - - - - WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) HKCU-Run-H/PC Connection Agent - c:\program files\Microsoft ActiveSync\wcescomm.exe HKCU-Run-jpascua - c:\documents and settings\jpascua\jpascua.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://nellsoncommunity uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} - hxxp://cs2850/crystalreportviewers115/ActiveXControls/PrintControl.cab FF - ProfilePath - c:\documents and settings\jpascua\Application Data\Mozilla\Firefox\Profiles\8nauzjsx.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://webmail.verizon.net/signin/|http://www.latimes.com/|http://www.google.com/ FF - component: c:\documents and settings\jpascua\Application Data\Mozilla\Firefox\Profiles\8nauzjsx.default\extensions\kodak-companion@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll FF - plugin: c:\documents and settings\jpascua\Application Data\Mozilla\Firefox\Profiles\8nauzjsx.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_03050024.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-18 19:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLSERVER2005] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLSERVER2005" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\
  4. I've run malwarebytes numerous times to try and delete files found but after a reboot they seem to keep coming back. Here is the latest malwarebytes and hijackthis logs. Please help in removing this! Thanks. Malwarebytes Log: Malwarebytes' Anti-Malware 1.36 Database version: 1996 Windows 5.1.2600 Service Pack 2 4/18/2009 1:22:02 PM mbam-log-2009-04-18 (13-22-02).txt Scan type: Quick Scan Objects scanned: 104543 Time elapsed: 7 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati64si (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\drivers\ati64si.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully. HiJackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:26:36 PM, on 4/18/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe C:\Program Files\lotus\notes\ntmulti.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtlogger.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtmon.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtsport.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\I8kfanGUI\I8kfanGUI.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\jpascua\jpascua.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nellsoncommunity R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nellsoncommunity R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nellsoncommunity R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [spark] C:\Program Files\Spark\Spark.exe O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [] C:\Documents and Settings\jpascua\.exe /i O4 - HKCU\..\Run: [jpascua] C:\Documents and Settings\jpascua\jpascua.exe /i O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://nellsoncommunity O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} (Crystal Reports Print Control 11.5) - http://cs2850/crystalreportviewers115/Acti...rintControl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233266681889 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233266662239 O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O17 - HKLM\Software\..\Telephony: DomainName = NELLSONNI.LOCAL O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Riverbed Steelhead Mobile Log Service (RVBD_SH_Mobile_Logger) - Riverbed Technology, Inc - C:\Program Files\Riverbed\Steelhead Mobile\rbtlogger.exe O23 - Service: Riverbed Steelhead Mobile Monitor Service (RVBD_SH_Mobile_Monitor) - Riverbed Technology, Inc - C:\Program Files\Riverbed\Steelhead Mobile\rbtmon.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 10912 bytes
  5. I just ran HiJackThis and did the Fix Checked as you said and looks like that fixed it. Thanks for your help. Here is the log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:54:38 AM, on 3/24/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe C:\Program Files\lotus\notes\ntmulti.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtlogger.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtmon.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtsport.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cmd.exe M:\Public\audit\usa\cscript.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Spark\Spark.exe C:\Program Files\I8kfanGUI\I8kfanGUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\lotus\notes\NLNOTES.EXE C:\Program Files\lotus\notes\nfileret.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nellsoncommunity R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nellsoncommunity R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nellsoncommunity R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [spark] C:\Program Files\Spark\Spark.exe O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://nellsoncommunity O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} (Crystal Reports Print Control 11.5) - http://cs2850/crystalreportviewers115/Acti...rintControl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233266681889 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233266662239 O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O17 - HKLM\Software\..\Telephony: DomainName = NELLSONNI.LOCAL O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Riverbed Steelhead Mobile Log Service (RVBD_SH_Mobile_Logger) - Riverbed Technology, Inc - C:\Program Files\Riverbed\Steelhead Mobile\rbtlogger.exe O23 - Service: Riverbed Steelhead Mobile Monitor Service (RVBD_SH_Mobile_Monitor) - Riverbed Technology, Inc - C:\Program Files\Riverbed\Steelhead Mobile\rbtmon.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 10964 bytes
  6. I ran MBAM again and this time nothing was detected. But HijackThis logs is still showing this pawehuhe.dll running in the logs. Here are the most updated logs: MBAM Malwarebytes' Anti-Malware 1.34 Database version: 1871 Windows 5.1.2600 Service Pack 2 3/19/2009 12:43:54 PM mbam-log-2009-03-19 (12-43-54).txt Scan type: Full Scan (C:\|E:\|) Objects scanned: 287386 Time elapsed: 1 hour(s), 45 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HiJackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:59:38 PM, on 3/19/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe C:\Program Files\lotus\notes\ntmulti.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtlogger.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtmon.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtsport.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Spark\Spark.exe C:\Program Files\I8kfanGUI\I8kfanGUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\lotus\notes\NLNOTES.EXE C:\Program Files\Trillian\trillian.exe C:\Program Files\lotus\notes\ntaskldr.EXE C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nellsoncommunity R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nellsoncommunity R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nellsoncommunity R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [spark] C:\Program Files\Spark\Spark.exe O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [balusajija] Rundll32.exe "C:\WINDOWS\system32\pawehuhe.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [balusajija] Rundll32.exe "C:\WINDOWS\system32\pawehuhe.dll",s (User 'NETWORK SERVICE') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://nellsoncommunity O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233266681889 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233266662239 O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O17 - HKLM\Software\..\Telephony: DomainName = NELLSONNI.LOCAL O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O20 - AppInit_DLLs: c:\windows\system32\ c:\windows\system32\ c:\windows\system32\bawaruno.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Riverbed Steelhead Mobile Log Service (RVBD_SH_Mobile_Logger) - Riverbed Technology, Inc - C:\Program Files\Riverbed\Steelhead Mobile\rbtlogger.exe O23 - Service: Riverbed Steelhead Mobile Monitor Service (RVBD_SH_Mobile_Monitor) - Riverbed Technology, Inc - C:\Program Files\Riverbed\Steelhead Mobile\rbtmon.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 11104 bytes
  7. Hi, need help with malware removal. Even after Malwarebytes scan and delete, there is a random dll that seems to be running on reboot. Here are the MBAM and HijackThis logs. MBAM Log: Malwarebytes' Anti-Malware 1.34 Database version: 1871 Windows 5.1.2600 Service Pack 2 3/19/2009 10:01:59 AM mbam-log-2009-03-19 (10-01-59).txt Scan type: Quick Scan Objects scanned: 107913 Time elapsed: 15 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 5 Registry Keys Infected: 8 Registry Values Infected: 5 Registry Data Items Infected: 8 Folders Infected: 0 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\wiwirira.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\pawehuhe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\nuyakete.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\likebowa.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\rehosaki.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff2ee940-17c3-4279-90fe-90489c4cade2} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ff2ee940-17c3-4279-90fe-90489c4cade2} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ff2ee940-17c3-4279-90fe-90489c4cade2} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\801150cf (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\balusajija (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm83226353 (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\likebowa.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\likebowa.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\likebowa.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\rehosaki.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\rehosaki.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\wiwirira.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\aririwiw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\pawehuhe.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\rehosaki.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\nuyakete.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\likebowa.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\dagimewo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\forukabe.dll_old (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\zosumehu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Jonji Pascua\Local Settings\Temporary Internet Files\Content.IE5\TEO341OD\d[2].htm (Trojan.Vundo.H) -> Quarantined and deleted successfully. HiJackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:11:15 AM, on 3/19/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe C:\Program Files\lotus\notes\ntmulti.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtlogger.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtmon.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Riverbed\Steelhead Mobile\rbtsport.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Spark\Spark.exe C:\Program Files\I8kfanGUI\I8kfanGUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nellsoncommunity R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nellsoncommunity R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nellsoncommunity R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [spark] C:\Program Files\Spark\Spark.exe O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [balusajija] Rundll32.exe "C:\WINDOWS\system32\pawehuhe.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [balusajija] Rundll32.exe "C:\WINDOWS\system32\pawehuhe.dll",s (User 'NETWORK SERVICE') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://nellsoncommunity O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233266681889 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233266662239 O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O17 - HKLM\Software\..\Telephony: DomainName = NELLSONNI.LOCAL O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NELLSONNI.LOCAL O20 - AppInit_DLLs: c:\windows\system32\ c:\windows\system32\ c:\windows\system32\bawaruno.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Riverbed Steelhead Mobile Log Service (RVBD_SH_Mobile_Logger) - Riverbed Technology, Inc - C:\Program Files\Riverbed\Steelhead Mobile\rbtlogger.exe O23 - Service: Riverbed Steelhead Mobile Monitor Service (RVBD_SH_Mobile_Monitor) - Riverbed Technology, Inc - C:\Program Files\Riverbed\Steelhead Mobile\rbtmon.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 10858 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.