Jump to content

urbanfolk74

Members
  • Posts

    13
  • Joined

  • Last visited

Everything posted by urbanfolk74

  1. Thanks for getting back to me - I will review all the software you highlighted and look to "streamline" - computer doesn't do anything odd anymore, but is crushingly slow? We also removed Java and I wonder if I should reinstall? Thanks again
  2. Uninstalled System Mechanic using Add/Remove Programs in the Control Panel. Here are the two logs Malwarebytes' Anti-Malware 1.33 Database version: 1699 Windows 5.1.2600 Service Pack 3 2009-01-27 09:50:27 mbam-log-2009-01-27 (09-50-27).txt Scan type: Quick Scan Objects scanned: 64379 Time elapsed: 3 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\local\att\NetCfgSv.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe C:\WINDOWS\system32\stacsv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.gov.yk.ca/depts/emr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://internal.gov.yk.ca/depts/emr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\local\office\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\local\office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://internal.gov.yk.ca/depts/emr/ O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://webmail.gov.yk.ca/sre/ICSScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\Software\..\Telephony: DomainName = YNet.gov.yk.ca O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\local\att\NetCfgSv.EXE O23 - Service: OracleOracleHomeClientCache - Unknown owner - C:\local\oracle\BIN\ONRSD.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 11420 bytes
  3. Not a problem - I appreciate all your help and can be as patient as needs be. My laptop is behaving more normally, except for speed which seems to be badly compromised on all fronts. I await your instructions, Thanks S
  4. Here it is SERVICE_NAME: a2free DISPLAY_NAME: a-squared Free Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: aawservice DISPLAY_NAME: Lavasoft Ad-Aware Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ALG DISPLAY_NAME: Application Layer Gateway Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Apple Mobile Device DISPLAY_NAME: Apple Mobile Device TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: AudioSrv DISPLAY_NAME: Windows Audio TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Bonjour Service DISPLAY_NAME: Bonjour Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Browser DISPLAY_NAME: Computer Browser TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: CcmExec DISPLAY_NAME: SMS Agent Host TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: CryptSvc DISPLAY_NAME: Cryptographic Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: DcomLaunch DISPLAY_NAME: DCOM Server Process Launcher TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Dhcp DISPLAY_NAME: DHCP Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: dmserver DISPLAY_NAME: Logical Disk Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Dnscache DISPLAY_NAME: DNS Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ERSvc DISPLAY_NAME: Error Reporting Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Eventlog DISPLAY_NAME: Event Log TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: EventSystem DISPLAY_NAME: COM+ Event System TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: EvtEng DISPLAY_NAME: Intel® PROSet/Wireless Event Log TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: helpsvc DISPLAY_NAME: Help and Support TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: HidServ DISPLAY_NAME: HID Input Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: HTTPFilter DISPLAY_NAME: HTTP SSL TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ioloFileInfoList DISPLAY_NAME: iolo FileInfoList Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ioloSystemService DISPLAY_NAME: iolo System Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: IOLO_SRV DISPLAY_NAME: iolo System Guard TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: iPod Service DISPLAY_NAME: iPod Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: lanmanserver DISPLAY_NAME: Server TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: lanmanworkstation DISPLAY_NAME: Workstation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: LmHosts DISPLAY_NAME: TCP/IP NetBIOS Helper TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: MSIServer DISPLAY_NAME: Windows Installer TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: NetCfgSvr DISPLAY_NAME: Network Configuration Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Netlogon DISPLAY_NAME: Net Logon TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Netman DISPLAY_NAME: Network Connections TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Nla DISPLAY_NAME: Network Location Awareness (NLA) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: PlugPlay DISPLAY_NAME: Plug and Play TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Pml Driver HPZ12 DISPLAY_NAME: Pml Driver HPZ12 TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: PolicyAgent DISPLAY_NAME: IPSEC Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ProtectedStorage DISPLAY_NAME: Protected Storage TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: RasAuto DISPLAY_NAME: Remote Access Auto Connection Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: RasMan DISPLAY_NAME: Remote Access Connection Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: RegSrvc DISPLAY_NAME: Intel® PROSet/Wireless Registry Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: RoxMediaDB9 DISPLAY_NAME: RoxMediaDB9 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: RoxWatch9 DISPLAY_NAME: Roxio Hard Drive Watcher 9 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: RpcSs DISPLAY_NAME: Remote Procedure Call (RPC) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: S24EventMonitor DISPLAY_NAME: Intel® PROSet/Wireless Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SamSs DISPLAY_NAME: Security Accounts Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SAVAdminService DISPLAY_NAME: Sophos Anti-Virus status reporter TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SAVService DISPLAY_NAME: Sophos Anti-Virus TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Schedule DISPLAY_NAME: Task Scheduler TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: seclogon DISPLAY_NAME: Secondary Logon TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SENS DISPLAY_NAME: System Event Notification TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SharedAccess DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ShellHWDetection DISPLAY_NAME: Shell Hardware Detection TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Sophos Agent DISPLAY_NAME: Sophos Agent TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Sophos AutoUpdate Service DISPLAY_NAME: Sophos AutoUpdate Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Sophos Message Router DISPLAY_NAME: Sophos Message Router TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Spooler DISPLAY_NAME: Print Spooler TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: srservice DISPLAY_NAME: System Restore Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SR_Service DISPLAY_NAME: Check Point SecuRemote Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SR_WatchDog DISPLAY_NAME: Check Point SecuRemote WatchDog TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SSDPSRV DISPLAY_NAME: SSDP Discovery Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: STacSV DISPLAY_NAME: SigmaTel Audio Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: TapiSrv DISPLAY_NAME: Telephony TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: TermService DISPLAY_NAME: Terminal Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Themes DISPLAY_NAME: Themes TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: TrkWks DISPLAY_NAME: Distributed Link Tracking Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: UMWdf DISPLAY_NAME: Windows User Mode Driver Framework TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: upnphost DISPLAY_NAME: Universal Plug and Play Device Host TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: W32Time DISPLAY_NAME: Windows Time TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: WebClient DISPLAY_NAME: WebClient TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: winmgmt DISPLAY_NAME: Windows Management Instrumentation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: WLANKEEPER DISPLAY_NAME: Intel® PROSet/Wireless SSO Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: wuauserv DISPLAY_NAME: Automatic Updates TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: WZCSVC DISPLAY_NAME: Wireless Zero Configuration TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
  5. OK - deleted the existing ComboFix as instructed again - downloaded and ran new version - the log file still says ComboFix 09-01-21 even though I d/l 3 mins ago.....odd. ComboFix 09-01-21.04 - spmead 2009-01-23 19:59:33.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1386 [GMT -8:00] Running from: c:\documents and settings\spmead\Desktop\ComboFix.exe AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) . ((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 ))))))))))))))))))))))))))))))) . 2009-01-19 21:55 . 2009-01-19 21:55 <DIR> d-------- c:\program files\Trend Micro 2009-01-19 20:58 . 2009-01-19 20:58 271 --a------ c:\windows\SysMech7.INI 2009-01-15 20:54 . 2009-01-18 15:43 <DIR> d-------- c:\program files\Common Files\PC Tools 2009-01-07 23:50 . 2009-01-14 22:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-01-07 23:50 . 2009-01-22 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-07 23:38 . 2009-01-07 23:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-01-07 22:36 . 2009-01-07 22:36 <DIR> d--h----- c:\windows\PIF 2009-01-05 23:05 . 2009-01-14 08:56 24,064 --a------ c:\windows\system32\pcload.exe 2009-01-03 10:19 . 2009-01-03 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-21 04:44 --------- d-----w c:\program files\iolo 2009-01-21 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\iolo 2009-01-18 23:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-17 01:34 936,288 ----a-w c:\windows\system32\Incinerator.dll 2009-01-15 05:03 --------- d-----w c:\documents and settings\LocalService\Application Data\iolo 2009-01-15 03:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-01-15 00:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-15 00:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-01-08 05:54 --------- d-----w c:\program files\a-squared Free 2009-01-05 05:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-22 21:13 --------- d-----w c:\documents and settings\spmead\Application Data\U3 2008-12-16 00:35 --------- d-----w c:\documents and settings\spmead\Application Data\iolo 2008-12-16 00:34 --------- d-----w c:\program files\EA GAMES 2008-12-16 00:33 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-16 00:32 --------- d-----w c:\program files\Firaxis Games 2008-12-14 23:16 38,112 ----a-w c:\documents and settings\spmead\Application Data\GDIPFONTCACHEV1.DAT 2008-12-09 23:36 --------- d-----w c:\program files\Rainbow Folders 2008-11-24 04:38 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll 2008-11-18 19:51 8,192 ----a-w c:\windows\system32\smrgdf.exe 2008-01-17 16:54 56,912 ----a-w c:\documents and settings\spmead\g2mdlhlpx.exe 2008-10-19 22:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101920081020\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "MMReminderService"="c:\program files\Mindjet\MindManager 6\MMReminderService.exe" [2006-12-13 31232] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-21 185632] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-12-11 245760] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "<NO NAME>"= 0 "ConnectHomeDirToRoot"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2004-04-01 16:48 24668 c:\windows\system32\ckpNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2014083345-1803438435-1920297168-3537\Scripts\Logon\0\0] "Script"=\\ynet\data\coe\scripts\inventory.bat [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-10-07 104704] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-10-07 35584] R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-06-06 2041744] R4 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2007-06-06 19328] R4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-09-29 596336] R4 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-09-29 596336] R4 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2008-10-07 69632] R4 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2008-10-07 98304] R4 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2007-06-06 17424] R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-06-06 670128] S0 dekt;dekt;c:\windows\system32\drivers\rtzdiqr.sys --> c:\windows\system32\drivers\rtzdiqr.sys [?] S0 ohpyhm;ohpyhm;c:\windows\system32\drivers\fjil.sys --> c:\windows\system32\drivers\fjil.sys [?] S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2007-06-06 14924] S3 OracleOracleHomeClientCache;OracleOracleHomeClientCache;c:\local\oracle\BIN\ONRSD.EXE [2000-10-19 411244] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-07 14976] --- Other Services/Drivers In Memory --- *Deregistered* - mchInjDrv . Contents of the 'Scheduled Tasks' folder 2009-01-24 c:\windows\Tasks\zcasyjhh.job - c:\windows\system32\vtUkJyWn.dll [] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://internal.gov.yk.ca/depts/emr/ uInternet Connection Wizard,ShellNext = hxxp://internal.gov.yk.ca/depts/emr/ uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\local\office\Office10\EXCEL.EXE/3000 IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://webmail.gov.yk.ca/sre/ICSScanner.cab FF - ProfilePath - c:\documents and settings\spmead\Application Data\Mozilla\Firefox\Profiles\pozkosfv.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google . . ------- File Associations ------- . JSEFile=NOTEPAD.EXE %1 VBEFile=NOTEPAD.EXE %1 VBSFile=NOTEPAD.EXE %1 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-23 20:02:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sophos Message Router] "ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . Completion time: 2009-01-23 20:04:11 ComboFix-quarantined-files.txt 2009-01-24 04:04:07 ComboFix2.txt 2009-01-24 03:54:27 Pre-Run: 60,964,319,232 bytes free Post-Run: 60,952,780,800 bytes free 151 --- E O F --- 2008-10-07 21:42:48 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:04, on 2009-01-23 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe C:\local\att\NetCfgSv.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe C:\WINDOWS\system32\stacsv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.gov.yk.ca/depts/emr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://internal.gov.yk.ca/depts/emr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\local\office\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\local\office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://internal.gov.yk.ca/depts/emr/ O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://webmail.gov.yk.ca/sre/ICSScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\Software\..\Telephony: DomainName = YNet.gov.yk.ca O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\local\att\NetCfgSv.EXE O23 - Service: OracleOracleHomeClientCache - Unknown owner - C:\local\oracle\BIN\ONRSD.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 12046 bytes
  6. When I entered the routine to delete combofix in the previous step, it indicated that it couldnt find the file.....I downloaded a new version and ran that - seems something went astray - will try again to delete as you suggested reinstall....
  7. Two logs form latest steps Combo Fix omboFix 09-01-21.04 - spmead 2009-01-23 19:05:35.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1446 [GMT -8:00] Running from: c:\documents and settings\spmead\Desktop\ComboFix.exe AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) . /wow section - STAGE 8 The process cannot access the file because it is being used by another process. ((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 ))))))))))))))))))))))))))))))) . 2009-01-19 21:55 . 2009-01-19 21:55 <DIR> d-------- c:\program files\Trend Micro 2009-01-19 20:58 . 2009-01-19 20:58 271 --a------ c:\windows\SysMech7.INI 2009-01-15 20:54 . 2009-01-18 15:43 <DIR> d-------- c:\program files\Common Files\PC Tools 2009-01-07 23:50 . 2009-01-14 22:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-01-07 23:50 . 2009-01-22 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-07 23:38 . 2009-01-07 23:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-01-07 22:36 . 2009-01-07 22:36 <DIR> d--h----- c:\windows\PIF 2009-01-05 23:05 . 2009-01-14 08:56 24,064 --a------ c:\windows\system32\pcload.exe 2009-01-03 10:19 . 2009-01-03 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-21 04:44 --------- d-----w c:\program files\iolo 2009-01-21 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\iolo 2009-01-18 23:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-17 01:34 936,288 ----a-w c:\windows\system32\Incinerator.dll 2009-01-15 05:03 --------- d-----w c:\documents and settings\LocalService\Application Data\iolo 2009-01-15 03:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-01-15 00:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-15 00:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-01-08 05:54 --------- d-----w c:\program files\a-squared Free 2009-01-05 05:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-22 21:13 --------- d-----w c:\documents and settings\spmead\Application Data\U3 2008-12-16 00:35 --------- d-----w c:\documents and settings\spmead\Application Data\iolo 2008-12-16 00:34 --------- d-----w c:\program files\EA GAMES 2008-12-16 00:33 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-16 00:32 --------- d-----w c:\program files\Firaxis Games 2008-12-14 23:16 38,112 ----a-w c:\documents and settings\spmead\Application Data\GDIPFONTCACHEV1.DAT 2008-12-09 23:36 --------- d-----w c:\program files\Rainbow Folders 2008-11-24 04:38 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll 2008-11-18 19:51 8,192 ----a-w c:\windows\system32\smrgdf.exe 2008-01-17 16:54 56,912 ----a-w c:\documents and settings\spmead\g2mdlhlpx.exe 2008-10-19 22:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101920081020\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "MMReminderService"="c:\program files\Mindjet\MindManager 6\MMReminderService.exe" [2006-12-13 31232] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-21 185632] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-12-11 245760] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "<NO NAME>"= 0 "ConnectHomeDirToRoot"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2004-04-01 16:48 24668 c:\windows\system32\ckpNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2014083345-1803438435-1920297168-3537\Scripts\Logon\0\0] "Script"=\\ynet\data\coe\scripts\inventory.bat [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-10-07 104704] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-10-07 35584] R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-06-06 2041744] R4 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2007-06-06 19328] R4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-09-29 596336] R4 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-09-29 596336] R4 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2008-10-07 69632] R4 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2008-10-07 98304] R4 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2007-06-06 17424] R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-06-06 670128] S0 dekt;dekt;c:\windows\system32\drivers\rtzdiqr.sys --> c:\windows\system32\drivers\rtzdiqr.sys [?] S0 ohpyhm;ohpyhm;c:\windows\system32\drivers\fjil.sys --> c:\windows\system32\drivers\fjil.sys [?] S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2007-06-06 14924] S3 OracleOracleHomeClientCache;OracleOracleHomeClientCache;c:\local\oracle\BIN\ONRSD.EXE [2000-10-19 411244] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-07 14976] --- Other Services/Drivers In Memory --- *Deregistered* - mchInjDrv . Contents of the 'Scheduled Tasks' folder 2009-01-24 c:\windows\Tasks\zcasyjhh.job - c:\windows\system32\vtUkJyWn.dll [] . - - - - ORPHANS REMOVED - - - - BHO-{154ad25d-863c-4043-badb-032c9719b824} - (no file) BHO-{424eda89-2752-4127-a799-e2e670beecff} - (no file) BHO-{53c6f33d-4b48-4d86-8807-a0d1db1346e1} - (no file) BHO-{76989fcf-367b-4733-b2b0-cbae7238fc84} - (no file) BHO-{8b2d1e4b-266c-401d-8cd2-4f30cd3ca645} - (no file) BHO-{9b9973d9-270a-422d-9cec-33f7ca32645c} - (no file) HKLM-Run-SMSystemAnalyzer - c:\program files\iolo\System Mechanic 7\SMSystemAnalyzer.exe HKLM-Run-pdfSaver3 - (no file) . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://internal.gov.yk.ca/depts/emr/ uInternet Connection Wizard,ShellNext = hxxp://internal.gov.yk.ca/depts/emr/ uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\local\office\Office10\EXCEL.EXE/3000 IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://webmail.gov.yk.ca/sre/ICSScanner.cab FF - ProfilePath - c:\documents and settings\spmead\Application Data\Mozilla\Firefox\Profiles\pozkosfv.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google . . ------- File Associations ------- . JSEFile=NOTEPAD.EXE %1 VBEFile=NOTEPAD.EXE %1 VBSFile=NOTEPAD.EXE %1 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-23 19:08:36 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sophos Message Router] "ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . Completion time: 2009-01-23 19:10:45 ComboFix-quarantined-files.txt 2009-01-24 03:10:42 Pre-Run: 60,703,862,784 bytes free Post-Run: 60,693,372,928 bytes free 161 --- E O F --- 2008-10-07 21:42:48 HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:11, on 2009-01-23 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe C:\local\att\NetCfgSv.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe C:\WINDOWS\system32\stacsv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.gov.yk.ca/depts/emr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://internal.gov.yk.ca/depts/emr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\local\office\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\local\office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://internal.gov.yk.ca/depts/emr/ O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://webmail.gov.yk.ca/sre/ICSScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\Software\..\Telephony: DomainName = YNet.gov.yk.ca O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\local\att\NetCfgSv.EXE O23 - Service: OracleOracleHomeClientCache - Unknown owner - C:\local\oracle\BIN\ONRSD.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 11925 bytes
  8. Ran Sophos(after updating) Here is the log file: 20090123 201121 Scan 'Scan my computer' started. 20090123 201506 Scanning "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\interchk.chk" returned SAV Interface error 0xa0040210: The file could not be accessed. 20090123 203011 File "C:\System Volume Information\_restore{28E27F07-7D8D-4940-B6E4-F3D46FAD488F}\RP2\A0000151.com" belongs to adware/PUA 'NirCmd' (of type Other). 20090123 203040 File "C:\WINDOWS\NIRCMD.exe" belongs to adware/PUA 'NirCmd' (of type Other). 20090123 204138 Scanning "C:\WINDOWS\system32\CatRoot2\edb.log" returned SAV Interface error 0xa0040210: The file could not be accessed. 20090123 204139 Scanning "C:\WINDOWS\system32\CatRoot2\tmp.edb" returned SAV Interface error 0xa0040210: The file could not be accessed. 20090123 204313 Scanning "C:\WINDOWS\Temp\fb_1680.lck" returned SAV Interface error 0xa0040210: The file could not be accessed. 20090123 204313 Scanning "C:\WINDOWS\Temp\JET3BD6.tmp" returned SAV Interface error 0xa0040210: The file could not be accessed. 20090123 204313 Scanning "C:\WINDOWS\Temp\Perflib_Perfdata_200.dat" returned SAV Interface error 0xa0040210: The file could not be accessed. 20090123 204322 Adware/PUA 'NirCmd' has been detected. 20090123 204322 Scan 'Scan my computer' completed. 20090123 204322 Summary of results for scan 'Scan my computer': Items scanned: 78304 Errors: 6 Items quarantined: 1 Items dealt with: 0 Cleaned up Adaware/PUA of type NirCmd
  9. Step 2 Logs Avenger Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\c:\windows\system32\drivers\rtzdiqr.sys" not found! Deletion of driver "c:\windows\system32\drivers\rtzdiqr.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\c:\windows\system32\drivers\fjil.sys" not found! Deletion of driver "c:\windows\system32\drivers\fjil.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "c:\windows\isRS-000.tmp" deleted successfully. Error: file "c:\windows\system32\vtUkJyWn.dll" not found! Deletion of file "c:\windows\system32\vtUkJyWn.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. MBAM Malwarebytes' Anti-Malware 1.33 Database version: 1682 Windows 5.1.2600 Service Pack 3 2009-01-22 20:58:21 mbam-log-2009-01-22 (20-58-21).txt Scan type: Quick Scan Objects scanned: 63601 Time elapsed: 3 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mumozavoha (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmab98e33a (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:59, on 2009-01-22 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe C:\local\att\NetCfgSv.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe C:\WINDOWS\system32\stacsv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.gov.yk.ca/depts/emr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://internal.gov.yk.ca/depts/emr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {154ad25d-863c-4043-badb-032c9719b824} - (no file) O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: (no name) - {424eda89-2752-4127-a799-e2e670beecff} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {53c6f33d-4b48-4d86-8807-a0d1db1346e1} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {76989fcf-367b-4733-b2b0-cbae7238fc84} - (no file) O2 - BHO: (no name) - {8b2d1e4b-266c-401d-8cd2-4f30cd3ca645} - (no file) O2 - BHO: (no name) - {9b9973d9-270a-422d-9cec-33f7ca32645c} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\local\office\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\local\office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://internal.gov.yk.ca/depts/emr/ O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://webmail.gov.yk.ca/sre/ICSScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\Software\..\Telephony: DomainName = YNet.gov.yk.ca O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\local\att\NetCfgSv.EXE O23 - Service: OracleOracleHomeClientCache - Unknown owner - C:\local\oracle\BIN\ONRSD.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 12640 bytes Step 3 Java Log JavaRa 1.13 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Thu Jan 22 21:03:51 2009 Found and removed: Software\Classes\JavaPlugin.160_05 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\ ------------------------------------ Finished reporting. Step 4 Logs MBAM Malwarebytes' Anti-Malware 1.33 Database version: 1682 Windows 5.1.2600 Service Pack 3 2009-01-22 21:10:22 mbam-log-2009-01-22 (21-10-22).txt Scan type: Quick Scan Objects scanned: 63430 Time elapsed: 1 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HJK Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:15, on 2009-01-22 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe C:\local\att\NetCfgSv.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe C:\WINDOWS\system32\stacsv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.gov.yk.ca/depts/emr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://internal.gov.yk.ca/depts/emr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {154ad25d-863c-4043-badb-032c9719b824} - (no file) O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: (no name) - {424eda89-2752-4127-a799-e2e670beecff} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {53c6f33d-4b48-4d86-8807-a0d1db1346e1} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {76989fcf-367b-4733-b2b0-cbae7238fc84} - (no file) O2 - BHO: (no name) - {8b2d1e4b-266c-401d-8cd2-4f30cd3ca645} - (no file) O2 - BHO: (no name) - {9b9973d9-270a-422d-9cec-33f7ca32645c} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\local\office\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\local\office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://internal.gov.yk.ca/depts/emr/ O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://webmail.gov.yk.ca/sre/ICSScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\Software\..\Telephony: DomainName = YNet.gov.yk.ca O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\local\att\NetCfgSv.EXE O23 - Service: OracleOracleHomeClientCache - Unknown owner - C:\local\oracle\BIN\ONRSD.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 12256 bytes
  10. Your assumption is correct Here are the logs ComboFix 09-01-21.04 - spmead 2009-01-22 19:31:49.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1336 [GMT -8:00] Running from: c:\documents and settings\spmead\Desktop\ComboFix.exe AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\cdxdsd.dll c:\windows\system32\kigebele.dll.vir c:\windows\system32\lelimafu.dll c:\windows\system32\log.exe c:\windows\system32\modufime.dll c:\windows\system32\mulipiza.dll c:\windows\system32\odolejip.ini c:\windows\system32\test.ttt c:\windows\system32\ukehisut.ini c:\windows\system32\win32hlp.cnf ----- BITS: Possible infected sites ----- hxxp://VESPA:80 Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_seneka ((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 ))))))))))))))))))))))))))))))) . 2009-01-19 21:55 . 2009-01-19 21:55 <DIR> d-------- c:\program files\Trend Micro 2009-01-19 20:58 . 2009-01-19 20:58 271 --a------ c:\windows\SysMech7.INI 2009-01-19 19:55 . 2009-01-20 20:44 680,960 --a------ c:\windows\isRS-000.tmp 2009-01-15 20:54 . 2009-01-18 15:43 <DIR> d-------- c:\program files\Common Files\PC Tools 2009-01-07 23:50 . 2009-01-14 22:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-01-07 23:50 . 2009-01-21 20:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-07 23:38 . 2009-01-07 23:38 <DIR> d-------- C:\VundoFix Backups 2009-01-07 23:38 . 2009-01-07 23:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-01-07 22:36 . 2009-01-07 22:36 <DIR> d--h----- c:\windows\PIF 2009-01-05 23:05 . 2009-01-14 08:56 24,064 --a------ c:\windows\system32\pcload.exe 2009-01-03 10:19 . 2009-01-03 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-21 04:44 --------- d-----w c:\program files\iolo 2009-01-21 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\iolo 2009-01-18 23:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-17 01:34 936,288 ----a-w c:\windows\system32\Incinerator.dll 2009-01-15 05:03 --------- d-----w c:\documents and settings\LocalService\Application Data\iolo 2009-01-15 03:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-01-15 00:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-15 00:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-01-08 05:54 --------- d-----w c:\program files\a-squared Free 2009-01-05 05:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-22 21:13 --------- d-----w c:\documents and settings\spmead\Application Data\U3 2008-12-16 00:35 --------- d-----w c:\documents and settings\spmead\Application Data\iolo 2008-12-16 00:34 --------- d-----w c:\program files\EA GAMES 2008-12-16 00:33 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-16 00:32 --------- d-----w c:\program files\Firaxis Games 2008-12-14 23:16 38,112 ----a-w c:\documents and settings\spmead\Application Data\GDIPFONTCACHEV1.DAT 2008-12-09 23:36 --------- d-----w c:\program files\Rainbow Folders 2008-11-24 04:38 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll 2008-11-18 19:51 8,192 ----a-w c:\windows\system32\smrgdf.exe 2008-01-17 16:54 56,912 ----a-w c:\documents and settings\spmead\g2mdlhlpx.exe 2008-10-19 22:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101920081020\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "MMReminderService"="c:\program files\Mindjet\MindManager 6\MMReminderService.exe" [2006-12-13 31232] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-21 185632] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-12-11 245760] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "<NO NAME>"= 0 "ConnectHomeDirToRoot"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2004-04-01 16:48 24668 c:\windows\system32\ckpNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2014083345-1803438435-1920297168-3537\Scripts\Logon\0\0] "Script"=\\ynet\data\coe\scripts\inventory.bat [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-10-07 104704] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-10-07 35584] R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-06-06 2041744] R4 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2007-06-06 19328] R4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-09-29 596336] R4 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-09-29 596336] R4 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2008-10-07 69632] R4 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2008-10-07 98304] R4 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2007-06-06 17424] R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-06-06 670128] S0 dekt;dekt;c:\windows\system32\drivers\rtzdiqr.sys --> c:\windows\system32\drivers\rtzdiqr.sys [?] S0 ohpyhm;ohpyhm;c:\windows\system32\drivers\fjil.sys --> c:\windows\system32\drivers\fjil.sys [?] S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2007-06-06 14924] S3 OracleOracleHomeClientCache;OracleOracleHomeClientCache;c:\local\oracle\BIN\ONRSD.EXE [2000-10-19 411244] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-07 14976] --- Other Services/Drivers In Memory --- *Deregistered* - mchInjDrv . Contents of the 'Scheduled Tasks' folder 2009-01-22 c:\windows\Tasks\zcasyjhh.job - c:\windows\system32\vtUkJyWn.dll [] . - - - - ORPHANS REMOVED - - - - BHO-{154ad25d-863c-4043-badb-032c9719b824} - (no file) BHO-{424eda89-2752-4127-a799-e2e670beecff} - (no file) BHO-{53c6f33d-4b48-4d86-8807-a0d1db1346e1} - (no file) BHO-{76989fcf-367b-4733-b2b0-cbae7238fc84} - (no file) BHO-{8b2d1e4b-266c-401d-8cd2-4f30cd3ca645} - (no file) BHO-{9b9973d9-270a-422d-9cec-33f7ca32645c} - (no file) HKLM-Run-SMSystemAnalyzer - c:\program files\iolo\System Mechanic 7\SMSystemAnalyzer.exe HKLM-Run-mumozavoha - c:\windows\system32\zobudome.dll HKLM-Run-CPMab98e33a - c:\windows\system32\kikububu.dll HKLM-Run-pdfSaver3 - (no file) HKLM-Run-<NO NAME> - (no file) . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://internal.gov.yk.ca/depts/emr/ uInternet Connection Wizard,ShellNext = hxxp://internal.gov.yk.ca/depts/emr/ uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\local\office\Office10\EXCEL.EXE/3000 IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://webmail.gov.yk.ca/sre/ICSScanner.cab FF - ProfilePath - c:\documents and settings\spmead\Application Data\Mozilla\Firefox\Profiles\pozkosfv.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google . . ------- File Associations ------- . JSEFile=NOTEPAD.EXE %1 VBEFile=NOTEPAD.EXE %1 VBSFile=NOTEPAD.EXE %1 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-22 19:40:41 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sophos Message Router] "ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(4680) c:\program files\iolo\Common\Lib\sguard.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\a-squared Free\a2service.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\iolo\System Mechanic\IoloSGCtrl.exe c:\local\att\NetCfgSv.EXE c:\windows\system32\HPZipm12.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe c:\program files\Sophos\AutoUpdate\ALsvc.exe c:\program files\Sophos\Remote Management System\RouterNT.exe c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe c:\windows\system32\stacsv.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\CCM\CcmExec.exe c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe c:\windows\system32\msiexec.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\verclsid.exe . ************************************************************************** . Completion time: 2009-01-22 19:45:50 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-23 03:45:44 Pre-Run: 60,591,800,320 bytes free Post-Run: 60,576,399,360 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect Current=3 Default=3 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5 234 --- E O F --- 2008-10-07 21:42:48 HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:48, on 2009-01-22 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe C:\local\att\NetCfgSv.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe C:\WINDOWS\system32\stacsv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.gov.yk.ca/depts/emr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://internal.gov.yk.ca/depts/emr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\local\office\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\local\office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://internal.gov.yk.ca/depts/emr/ O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://webmail.gov.yk.ca/sre/ICSScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\Software\..\Telephony: DomainName = YNet.gov.yk.ca O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\local\att\NetCfgSv.EXE O23 - Service: OracleOracleHomeClientCache - Unknown owner - C:\local\oracle\BIN\ONRSD.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 12559 bytes HJT Log
  11. Was able to run MBAM Selected and fixed the 17 items highlightes. Received a box that stated "Certain items could not be removed...." This was the item indicated: c:\WINDOWS\system32\aarlqc.dll Saved the log file - rebooted the computer as request. Ran HJT. New MBAM log Malwarebytes' Anti-Malware 1.33 Database version: 1682 Windows 5.1.2600 Service Pack 3 1/22/2009 1:06:48 PM mbam-log-2009-01-22 (13-06-48).txt Scan type: Quick Scan Objects scanned: 64350 Time elapsed: 4 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 11 Registry Values Infected: 4 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\aarlqc.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53c6f33d-4b48-4d86-8807-a0d1db1346e1} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{53c6f33d-4b48-4d86-8807-a0d1db1346e1} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{154ad25d-863c-4043-badb-032c9719b824} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{154ad25d-863c-4043-badb-032c9719b824} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53c6f33d-4b48-4d86-8807-a0d1db1346e1} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mumozavoha (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmab98e33a (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\aarlqc.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\dunumeda.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ademunud.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\leliwomu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. Latest HBJ log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:49:40 PM, on 1/22/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe C:\local\att\NetCfgSv.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe C:\WINDOWS\system32\stacsv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.gov.yk.ca/depts/emr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://internal.gov.yk.ca/depts/emr/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EMR Information Systems R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {154ad25d-863c-4043-badb-032c9719b824} - (no file) O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: (no name) - {424eda89-2752-4127-a799-e2e670beecff} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {53c6f33d-4b48-4d86-8807-a0d1db1346e1} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {76989fcf-367b-4733-b2b0-cbae7238fc84} - (no file) O2 - BHO: (no name) - {8b2d1e4b-266c-401d-8cd2-4f30cd3ca645} - (no file) O2 - BHO: (no name) - {9b9973d9-270a-422d-9cec-33f7ca32645c} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [mumozavoha] Rundll32.exe "C:\WINDOWS\system32\zobudome.dll",s O4 - HKLM\..\Run: [CPMab98e33a] Rundll32.exe "c:\windows\system32\kikububu.dll",a O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [mumozavoha] Rundll32.exe "C:\WINDOWS\system32\zobudome.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [mumozavoha] Rundll32.exe "C:\WINDOWS\system32\zobudome.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\local\office\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\local\office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://internal.gov.yk.ca/depts/emr/ O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://webmail.gov.yk.ca/sre/ICSScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\Software\..\Telephony: DomainName = YNet.gov.yk.ca O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL neggre.dll c:\windows\system32\jalehini.dll C:\WINDOWS\system32\peheliba.dll xasphv.dll ykpwke.dll c:\windows\system32\sunufajo.dll cdxdsd.dll c:\windows\system32\safodaru.dll rwdwgb.dll c:\windows\system32\kikububu.dll c:\windows\system32\kigebele.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file) O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\local\att\NetCfgSv.EXE O23 - Service: OracleOracleHomeClientCache - Unknown owner - C:\local\oracle\BIN\ONRSD.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 13911 bytes I hope I was able to follow your instruction correctly - again, thankyou for your support and patience.
  12. Firstly, thankyou so much for attempting to help me cure this problem. It is greatly appreciated. I followed the steps provided by you. At step 7, I saw a message as you suggested I might: "ComboFix has detected the presence of root.... "(however, there was no mention of reboot needed box in the warning) These were the three files identified C:\WINDOWS\system32\peheliba.dll C:\WINDOWS\system32\cdxdsd.dll C:\windows\system32\kigebel.dll I clicked on the ok button; Combofix continued to work momentarily, then the box you referenced that involved rebooting appeared with a single file mentioned: C:\WINDOWS\system32\peheliba.dll I clicked ok The computer rebooted with 4 run.dll error messages - Combofix did not restart, nor was there a Combofix log file available to provide you. As the Combofix did not work without exceptions, I stopped. I have not provided an update HijackThis log file as I wasn't sure whether to run or wait for your further instructions. I chose to wait.....
  13. Got a nasty shock whilst watching the Lakers game on justin.tv, and now I cant seem to get rid of a whole host of issues - that will teach me, Have tried to fix selected with Malaware and SpyBot SD. Spy bot continually finds three virtumondo.prx files that wont go. Here is my Hijackthis log file Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:55:40 PM, on 1/19/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe C:\local\att\NetCfgSv.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\WINDOWS\system32\stacsv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.gov.yk.ca/depts/emr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://internal.gov.yk.ca/depts/emr/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EMR Information Systems R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {154ad25d-863c-4043-badb-032c9719b824} - C:\WINDOWS\system32\lilomijo.dll (file missing) O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {76989fcf-367b-4733-b2b0-cbae7238fc84} - (no file) O2 - BHO: (no name) - {8b2d1e4b-266c-401d-8cd2-4f30cd3ca645} - (no file) O2 - BHO: (no name) - {9b9973d9-270a-422d-9cec-33f7ca32645c} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [mumozavoha] Rundll32.exe "C:\WINDOWS\system32\zobudome.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [mumozavoha] Rundll32.exe "C:\WINDOWS\system32\zobudome.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [mumozavoha] Rundll32.exe "C:\WINDOWS\system32\zobudome.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\local\office\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\local\office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://internal.gov.yk.ca/depts/emr/ O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://webmail.gov.yk.ca/sre/ICSScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\Software\..\Telephony: DomainName = YNet.gov.yk.ca O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = YNet.gov.yk.ca O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL neggre.dll c:\windows\system32\jalehini.dll C:\WINDOWS\system32\peheliba.dll xasphv.dll ykpwke.dll c:\windows\system32\sunufajo.dll cdxdsd.dll c:\windows\system32\safodaru.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\local\att\NetCfgSv.EXE O23 - Service: OracleOracleHomeClientCache - Unknown owner - C:\local\oracle\BIN\ONRSD.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 13780 bytes and here is my Malaware log: Malwarebytes' Anti-Malware 1.33 Database version: 1668 Windows 5.1.2600 Service Pack 3 1/19/2009 10:35:44 PM mbam-log-2009-01-19 (22-35-40).txt Scan type: Full Scan (C:\|) Objects scanned: 139387 Time elapsed: 33 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{154ad25d-863c-4043-badb-032c9719b824} (Trojan.Vundo.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{154ad25d-863c-4043-badb-032c9719b824} (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mumozavoha (Trojan.Vundo.H) -> No action taken. Registry Data Items Infected: HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> No action taken. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\togobanu.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\dllcache\userinit.exe (Trojan.Downloader) -> No action taken. Any help would be most graciously received. Thanks
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.