sohnir

Hi- I suspected some spyware on my computer; so tried installing Malwarebytes's Anti-Malware. The installation failed twice complaining with (I guess) missing libraries: The application has failed to start becauase ATL.DLL was not found. Re-installing the application may fix the problem. MSVBVM60.DLL Run-time error '440' Automation error 1) I de-installed Anti-Malware from Control -> Add/Remove programs 2) On all subsequent reboots (XP Pro-SP2); I'm getting the following errors. " Windows Cannot Find 'D:\Program'. Make sure you typed the name correctly and then retry again. To search for a file click Start button and then search." Please advice, Thanks.

No, I don't share this computer with anybody. However, I keep RDP port open; to remotely access the computer when I'm away. Why do you ask that? Is there any threat or vulnerability to the computer? As instructed; I've now successfully run the Avira Rescue CD and previously report 23 files were moved. I'm updating the ComboFix and HJT log below. I'd connected to the network after ComboFix had completed and produced its log. I've not yet removed DaemonTools as in the last update; you mentioned to run Avira Rescue CD for now. Let me know if I need to de-install Daemon Tools. Here are the logs. Thanks. ######################################### ComboFix log ComboFix 09-02-07.01 - Vipul C. Patel 2009-02-09 19:30:45.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.677 [GMT -5:00] Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe FW: McAfee Personal Firewall Plus *enabled* * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 ))))))))))))))))))))))))))))))) . 2009-02-07 18:04 . 2009-02-07 18:04 250 --a------ c:\windows\gmer.ini 2009-02-07 12:41 . 2009-02-07 12:44 <DIR> d-------- c:\documents and settings\Vipul C. Patel\DoctorWeb 2009-02-06 09:03 . 2009-02-06 09:03 <DIR> d-------- c:\program files\CCleaner 2009-02-05 22:06 . 2009-02-05 22:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\program files\NOS 2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com 2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-02-01 15:07 . 2009-02-06 09:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-08 18:35 --------- d-----w c:\program files\eMule 2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin 2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr . ((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.45.37.88 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-07 23:04:45 884,736 ----a-w c:\windows\gmer.dll + 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe + 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe - 2005-07-30 18:32:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-02-06 03:03:59 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-02-07 23:04:45 85,969 ----a-w c:\windows\system32\drivers\gmer.sys - 2009-02-06 01:17:59 55,614 ----a-w c:\windows\system32\perfc009.dat + 2009-02-10 00:30:32 55,614 ----a-w c:\windows\system32\perfc009.dat - 2009-02-06 01:17:59 388,050 ----a-w c:\windows\system32\perfh009.dat + 2009-02-10 00:30:32 388,050 ----a-w c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264] "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-26 98304] "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016] "PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248] "MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2004-10-25 184320] "MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-17 245760] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016] "CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-15 454144] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe] c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\ Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-07-19 221295] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-26 24576] DSW IPSec Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2005-08-08 1425424] Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= Pvmjpg21.dll "VIDC.PIM1"= pclepim1.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "5900:TCP"= 5900:TCP:*:Disabled:VNC "5800:TCP"= 5800:TCP:*:Disabled:vnc2 R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480] R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-05 33752] S3 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944] S3 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328] S3 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096] S3 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248] S3 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152] S3 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392] S3 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent; c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464] S3 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?] S3 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?] UnknownUnknown dsload;dsload; [x] . Contents of the 'Scheduled Tasks' folder 2009-02-09 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-09 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162 DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-09 19:35:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer] "ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener] "ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR " . Completion time: 2009-02-09 19:40:20 ComboFix-quarantined-files.txt 2009-02-10 00:39:01 ComboFix2.txt 2009-02-07 17:24:06 ComboFix3.txt 2009-02-06 13:46:48 ComboFix4.txt 2009-02-06 03:46:02 ComboFix5.txt 2009-02-10 00:29:43 Pre-Run: 59,876,585,472 bytes free Post-Run: 59,880,710,144 bytes free 183 --- E O F --- 2008-06-21 07:00:42 ####################### HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:45:56 PM, on 2/9/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Real\RealPlayer\RealPlay.exe c:\program files\mcafee.com\agent\mcagent.exe C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\PROGRA~1\mcafee.com\agent\mcupdate.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SecCopy\SecCopy.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437 O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162 O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OracleOra920_DB_homeAgent - Oracle Corporation - C:\oracle\product\9.2.0\bin\agntsrvc.exe O23 - Service: OracleOra920_DB_homeClientCache - Unknown owner - C:\oracle\product\9.2.0\BIN\ONRSD.EXE O23 - Service: OracleOra920_DB_homeHTTPServer - Unknown owner - C:\oracle\product\9.2.0\Apache\Apache\apache.exe O23 - Service: OracleOra920_DB_homeManagementServer - Unknown owner - C:\oracle\product\9.2.0\bin\OMSNTsrv.exe O23 - Service: OracleOra920_DB_homePagingServer - Unknown owner - C:\oracle\product\9.2.0/bin/pagntsrv.exe O23 - Service: OracleOra920_DB_homeSNMPPeerEncapsulator - Unknown owner - C:\oracle\product\9.2.0\BIN\ENCSVC.EXE O23 - Service: OracleOra920_DB_homeSNMPPeerMasterAgent - Unknown owner - C:\oracle\product\9.2.0\BIN\AGNTSVC.EXE O23 - Service: OracleOra920_DB_homeTNSListener - Unknown owner - C:\oracle\product\9.2.0\BIN\TNSLSNR.exe O23 - Service: OracleServiceSAI - Oracle Corporation - c:\oracle\product\9.2.0\bin\ORACLE.EXE O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 14421 bytes #####################

Thanks. I ran the Avira AntiVir Rescue CD; but did not check "Try to Repair Infected files" and "Rename fils if they cannot be removed?"...so it completed the SCAN in about 3hrs... As you mentioned; there is not way to capture the complete log; I captured the following main excerpt and the last main lines which looked suspicious. Please take a look... Also, I'm now running the SCAN again; with those 2 options check to repair/move infected files? You wanted me to check those options, correct? ################################################## 09feb09 - Avira AntiVir Rescue CD run... Scanned files: 168,249 Scanned directories: 18,148 Required time: 03:13:27 Records: 23 Suspect files: 0 Warnings: 18 Information/_restore{46DE8921-1D39-44D2-A9E9-64119261F211}RP1/A0000022.dll ALERT: [TR/Crypt.FKM.Gen] /mnt/sda2/System Volumne <<< Is the trojan horse TR/Crypt.FKM.Gen /mnt/sda2/WINDOWS/system32/gapiwidll.dll << Is the trojan horse TR/Crypt.FKM.Gen The same message is displayed for the following dlls.. winerrgapi.dll apiherrdo.dll foexetfo.dll foswinas.dll petebxlin.dll pexshelin.dll jeswinje.dll evwasduo.dll lojelolo.dll cracrapow.dll ebxggdll.dll My Docs/WinZip/WinZipProv10Keymaker-ZWT.rar -> keygen.exe <<< Is the Trojan Horse TR/PSW.0.TR.1 My Docs/Tools+Software/securecrt/scrt505-tbe.ext <<< iS THE Trojan horse TR/Agent.40448.W ##################################################

Thanks. I'm little confused on the steps instructed. Do you want me to create both the CD and the flash drive? I'm listing the steps below, see if that is what you want me to do? 1- Delete the current ComboFix.exe and get a new one. 2- Disconnect from the network. 3- De-install DAEMON Tools? 3a- I'm not sure what SPDT file is? Can you please help me here? 3- I've already created the Avira AntiVir Rescue CD. Do you want me to boot from that CD? If yes, will this run Avira AnitVir Rescue program automatically after boot or do I need to invoke that from the CD? 4- If you're asking me to boot from the hard drive; are you asking me to run the program manually from the Avira CD? Which program do I click to invoke the Avira Anti-Virus CD? 5- I've made a note of the resolution problem. If that happens the moderator there recommends running the following command from the command line. If that happens; do I need to switch to any folder within the command prompt to invoke antivir program? antivir --allfiles -z -ren /mnt/ Thanks again.

Hi- Thanks for all your help. I've followed all the steps and here are my observations; 2 attachments are with this upload. 1- ComboFix run details.. At about Stage-1 or 2; standard Windows error message popped up. I did not touch the window message and it went away after a while. ============================ explorer.exe - Application error The exception unknown software (0x000000fd) occured in te application at location 0x00d7e9ae Click on OK to terminate the program Click on CANCEL to debug the program ============================= After stage 50 when rebooting windows in ComboFix; the following Windows error message popped up. This is the 2nd time that this command failed. I did not touch the error message and went away while ComboFix reboot. ============================= NirCmd.cfexe - DDL Initialization failed The application failed to initialize because the window station is shutting down ============================= ComboFix reboot took a very long time; the blank screen stayed there for quite some time; with no DISK activity. It took the same long time last time when I ran ComboFix. Even though with no disk activity; it does reboot successfully though and produce the logs at the end. 2- Dr.Web CureIt run. It took about 4 hrs to complete this run; after it completed it took about 10min to reboot the computer. Internet Explorer performance took a deep dive (extremely slow) after Dr. CureIt run. I'm attaching the CSV and the spreadsheet report produced by this run. 3- GMER run Attached the LOG file in ZIP format. 4- Observations.. After Dr. WebCureIT run; I've observed the following after few tests: If I reboot the system over and over again without using any programs; the system reboot will happen right away. But If I use any programs say IE (visit few sites) and then reboot; along with system performance degradation, the reboot/shutdown is taking extremely long time; something seems to be wrong. The desktop freezes and I cannot open any programs after the reboot/shutdown command is given. If I try to open an explorer (or any program for that matter) during this freeze period; it will complain; explorer.exe - DLL Initialization failed. The application failed to initialize because the window station is shutting down. Even CTL+ALT+DEL or bringing up TASK MANAGER does not work at this point Following are the logs ############################### ComboFix log ComboFix 09-02-06.04 - Vipul C. Patel 2009-02-07 12:02:43.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.662 [GMT -5:00] Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Vipul C. Patel\Desktop\CFscript.txt FW: McAfee Personal Firewall Plus *enabled* * Created a new restore point FILE :: c:\windows\system32\togeco.dll . ((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 ))))))))))))))))))))))))))))))) . 2009-02-06 09:03 . 2009-02-06 09:03 <DIR> d-------- c:\program files\CCleaner 2009-02-05 22:06 . 2009-02-05 22:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\program files\NOS 2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com 2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-02-01 15:07 . 2009-02-06 09:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin . ((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.45.37.88 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe + 2008-04-23 04:16:30 1,977,567 ----a-w c:\windows\system32\apiherrdo.dll + 2008-04-23 04:16:30 1,259,072 ----a-w c:\windows\system32\apijmhdo.dll - 2005-07-30 18:32:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-02-06 03:03:59 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-04-23 04:16:30 1,458,783 ----a-w c:\windows\system32\cracrapow.dll + 2008-04-23 04:16:30 1,066,004 ----a-w c:\windows\system32\ehapicra.dll + 2008-04-23 04:16:30 2,021,802 ----a-w c:\windows\system32\evwasudo.dll + 2008-04-23 04:16:30 2,130,709 ----a-w c:\windows\system32\foexetfo.dll + 2008-04-23 04:16:30 1,485,156 ----a-w c:\windows\system32\foswinas.dll + 2008-04-23 04:16:30 1,970,778 ----a-w c:\windows\system32\gapiwidll.dll - 2009-02-06 01:17:59 55,614 ----a-w c:\windows\system32\perfc009.dat + 2009-02-07 17:08:43 55,614 ----a-w c:\windows\system32\perfc009.dat - 2009-02-06 01:17:59 388,050 ----a-w c:\windows\system32\perfh009.dat + 2009-02-07 17:08:43 388,050 ----a-w c:\windows\system32\perfh009.dat + 2008-04-23 04:16:30 1,494,689 ----a-w c:\windows\system32\petebxlin.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264] "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224] "StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-07-16 452945] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-26 98304] "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016] "PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248] "MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2004-10-25 184320] "MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-17 245760] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016] "CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-15 454144] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe] c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\ Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-07-19 221295] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-26 24576] DSW IPSec Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2005-08-08 1425424] Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= Pvmjpg21.dll "VIDC.PIM1"= pclepim1.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "5900:TCP"= 5900:TCP:*:Disabled:VNC "5800:TCP"= 5800:TCP:*:Disabled:vnc2 R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480] R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-05 33752] S3 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944] S3 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328] S3 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096] S3 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248] S3 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152] S3 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392] S3 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent; c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464] S3 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?] S3 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?] UnknownUnknown dsload;dsload; [x] . Contents of the 'Scheduled Tasks' folder 2009-02-07 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-07 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162 DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-07 12:19:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\ehapicra.dll 1066004 bytes executable c:\windows\system32\foexetfo.dll 2130709 bytes executable scan completed successfully hidden files: 2 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer] "ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener] "ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR " . ------------------------ Other Running Processes ------------------------ . c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\McAfee.com\PERSON~1\MpfService.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\program files\McAfee.com\Agent\mcagent.exe c:\program files\McAfee.com\Shared\mghtml.exe c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe . ************************************************************************** . Completion time: 2009-02-07 12:24:05 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-07 17:24:03 ComboFix2.txt 2009-02-06 13:46:48 ComboFix3.txt 2009-02-06 03:46:02 ComboFix4.txt 2009-02-06 01:46:59 Pre-Run: 59,848,007,680 bytes free Post-Run: 59,829,149,696 bytes free 215 --- E O F --- 2008-06-21 07:00:42 ########################## HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:48:14 PM, on 2/7/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe c:\program files\mcafee.com\agent\mcagent.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SecCopy\SecCopy.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437 O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162 O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OracleOra920_DB_homeAgent - Oracle Corporation - C:\oracle\product\9.2.0\bin\agntsrvc.exe O23 - Service: OracleOra920_DB_homeClientCache - Unknown owner - C:\oracle\product\9.2.0\BIN\ONRSD.EXE O23 - Service: OracleOra920_DB_homeHTTPServer - Unknown owner - C:\oracle\product\9.2.0\Apache\Apache\apache.exe O23 - Service: OracleOra920_DB_homeManagementServer - Unknown owner - C:\oracle\product\9.2.0\bin\OMSNTsrv.exe O23 - Service: OracleOra920_DB_homePagingServer - Unknown owner - C:\oracle\product\9.2.0/bin/pagntsrv.exe O23 - Service: OracleOra920_DB_homeSNMPPeerEncapsulator - Unknown owner - C:\oracle\product\9.2.0\BIN\ENCSVC.EXE O23 - Service: OracleOra920_DB_homeSNMPPeerMasterAgent - Unknown owner - C:\oracle\product\9.2.0\BIN\AGNTSVC.EXE O23 - Service: OracleOra920_DB_homeTNSListener - Unknown owner - C:\oracle\product\9.2.0\BIN\TNSLSNR.exe O23 - Service: OracleServiceSAI - Oracle Corporation - c:\oracle\product\9.2.0\bin\ORACLE.EXE O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 14696 bytes ####################################### Attachments uploaded are: 1- DrWeb_07feb09_01_xls.zip - this has 2 worksheets, one with CSV data and the other has formatted data 2- GMER_LOG.zip Please let me know if you have problems viewing these attachments. Thanks again. GMER_LOG.zip DrWeb_07feb09_01_xls.zip GMER_LOG.zip DrWeb_07feb09_01_xls.zip

Forgot to paste ComboFix log...here it is ... ########################## ComboFix 09-02-05.02 - Vipul C. Patel 2009-02-06 8:27:31.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.647 [GMT -5:00] Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Vipul C. Patel\Desktop\CFscript.txt FW: McAfee Personal Firewall Plus *enabled* * Created a new restore point FILE :: c:\windows\system32\andaapicra.dll c:\windows\system32\nihexe.dll . ((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 ))))))))))))))))))))))))))))))) . 2009-02-05 22:06 . 2009-02-05 22:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\program files\NOS 2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com 2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-02-01 15:07 . 2009-02-01 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin . ((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.45.37.88 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe - 2005-07-30 18:32:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-02-06 03:03:59 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-04-23 04:16:30 1,485,156 ----a-w c:\windows\system32\foswinas.dll - 2009-02-06 01:17:59 55,614 ----a-w c:\windows\system32\perfc009.dat + 2009-02-06 13:23:04 55,614 ----a-w c:\windows\system32\perfc009.dat - 2009-02-06 01:17:59 388,050 ----a-w c:\windows\system32\perfh009.dat + 2009-02-06 13:23:04 388,050 ----a-w c:\windows\system32\perfh009.dat + 2008-04-23 04:16:30 1,959,551 ----a-w c:\windows\system32\poperrerr.dll + 2008-04-23 04:16:30 1,157,166 ----a-w c:\windows\system32\togeco.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264] "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224] "StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-07-16 452945] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-26 98304] "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016] "PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248] "MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2004-10-25 184320] "MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-17 245760] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016] "CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-15 454144] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe] c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\ Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-07-19 221295] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-26 24576] DSW IPSec Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2005-08-08 1425424] Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= Pvmjpg21.dll "VIDC.PIM1"= pclepim1.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "5900:TCP"= 5900:TCP:*:Disabled:VNC "5800:TCP"= 5800:TCP:*:Disabled:vnc2 R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480] R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-05 33752] S3 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944] S3 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328] S3 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096] S3 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248] S3 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152] S3 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392] S3 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent; c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464] S3 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?] S3 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?] UnknownUnknown dsload;dsload; [x] . Contents of the 'Scheduled Tasks' folder 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162 DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-06 08:41:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\togeco.dll 1157166 bytes executable scan completed successfully hidden files: 1 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer] "ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener] "ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR " . ------------------------ Other Running Processes ------------------------ . c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\McAfee.com\PERSON~1\MpfService.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\program files\McAfee.com\Agent\mcagent.exe c:\program files\McAfee.com\Shared\mghtml.exe c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe . ************************************************************************** . Completion time: 2009-02-06 8:46:47 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-06 13:46:45 ComboFix2.txt 2009-02-06 03:46:02 ComboFix3.txt 2009-02-06 01:46:59 Pre-Run: 59,755,712,512 bytes free Post-Run: 59,745,042,432 bytes free 206 --- E O F --- 2008-06-21 07:00:42 #########################

Hi- I've followed all the steps as instructed and here are all the logs. Curious questions and notes: 1- Are we going to re-install new JAVA at the end? 2- In one of the steps; when the computer rebooted; it reported Windows Explorer terminated with error (standard Microsoft message if you want to report to MS). 3- What did we do in steps 2 and 3? 4- Step 4 cleaned up about 148 MB of files... Thanks again. ################################### MBAM log Malwarebytes' Anti-Malware 1.33 Database version: 1733 Windows 5.1.2600 Service Pack 2 2/6/2009 9:14:57 AM mbam-log-2009-02-06 (09-14-57).txt Scan type: Quick Scan Objects scanned: 72215 Time elapsed: 4 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ############################ HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:20:38 AM, on 2/6/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe c:\program files\mcafee.com\agent\mcagent.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\DAEMON Tools\daemon.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SecCopy\SecCopy.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\TextPad 4\TextPad.exe C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437 O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162 O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OracleOra920_DB_homeAgent - Oracle Corporation - C:\oracle\product\9.2.0\bin\agntsrvc.exe O23 - Service: OracleOra920_DB_homeClientCache - Unknown owner - C:\oracle\product\9.2.0\BIN\ONRSD.EXE O23 - Service: OracleOra920_DB_homeHTTPServer - Unknown owner - C:\oracle\product\9.2.0\Apache\Apache\apache.exe O23 - Service: OracleOra920_DB_homeManagementServer - Unknown owner - C:\oracle\product\9.2.0\bin\OMSNTsrv.exe O23 - Service: OracleOra920_DB_homePagingServer - Unknown owner - C:\oracle\product\9.2.0/bin/pagntsrv.exe O23 - Service: OracleOra920_DB_homeSNMPPeerEncapsulator - Unknown owner - C:\oracle\product\9.2.0\BIN\ENCSVC.EXE O23 - Service: OracleOra920_DB_homeSNMPPeerMasterAgent - Unknown owner - C:\oracle\product\9.2.0\BIN\AGNTSVC.EXE O23 - Service: OracleOra920_DB_homeTNSListener - Unknown owner - C:\oracle\product\9.2.0\BIN\TNSLSNR.exe O23 - Service: OracleServiceSAI - Oracle Corporation - c:\oracle\product\9.2.0\bin\ORACLE.EXE O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 14842 bytes ################################## ComboFix log

Thanks for the quick response and advice. I've followed the following steps as instructed; but missed to remove all JAVA as noted in step-3 below 1- Restarted in Normal MSCONFIG mode 2- The hosts file entries are good; I need to access them. 3- Upgraded to Adobe reader 9 4- De-installed JRE 6 and executed JavaRa to remove all JAVA. However; I missed to delete all JAVA folders that you mentioned at this step. However, I did remove them after step-5 below. Not sure; whether it is impacting the run for ComboFix or not. Also, I've few installations of JInitiator; they are plugins for to access Oracle Applications forms via Browser. Do I need to de-install them as well? I'm assumming you'll advice me to install a latest and safer version of JAVA at the end of this exercise. 5- Run ComboFix; in the middle the computer rebooted. While on its way to reboot; it complained the following with Windows error message: -------------------------------- NirCmd.cfexe - DLL Initialization failed The application failed to initialize because the window station is shutting down -------------------------------- I ignored this message for few seconds and it went away and it sucessfully rebooted; finished the rest of the steps for ComboFix and produced a log. I'll paste the log at the end of this update. Does this error message indicate something. Is it dangerous? Here I realize I missed the steps to delete the JAVA folders; I now remove them. 6- I ran Malwarebytes Anti-Malware; I'll paste the logs below. 7- Re-start the computer and produce HJ logs 8- As a part of running ComboFix for the 1st time; I was adviced to DISABLE firewall; I'd then disable Windows firewall. Should I re-enable it again? Thanks. ############################################## MBAM logs Malwarebytes' Anti-Malware 1.33 Database version: 1733 Windows 5.1.2600 Service Pack 2 2/5/2009 11:07:02 PM mbam-log-2009-02-05 (23-07-02).txt Scan type: Quick Scan Objects scanned: 72354 Time elapsed: 4 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ############################################### HJT logs Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:12:56 PM, on 2/5/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Real\RealPlayer\RealPlay.exe c:\program files\mcafee.com\agent\mcagent.exe C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\SecCopy\SecCopy.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\TextPad 4\TextPad.exe C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437 O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162 O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OracleOra920_DB_homeAgent - Oracle Corporation - C:\oracle\product\9.2.0\bin\agntsrvc.exe O23 - Service: OracleOra920_DB_homeClientCache - Unknown owner - C:\oracle\product\9.2.0\BIN\ONRSD.EXE O23 - Service: OracleOra920_DB_homeHTTPServer - Unknown owner - C:\oracle\product\9.2.0\Apache\Apache\apache.exe O23 - Service: OracleOra920_DB_homeManagementServer - Unknown owner - C:\oracle\product\9.2.0\bin\OMSNTsrv.exe O23 - Service: OracleOra920_DB_homePagingServer - Unknown owner - C:\oracle\product\9.2.0/bin/pagntsrv.exe O23 - Service: OracleOra920_DB_homeSNMPPeerEncapsulator - Unknown owner - C:\oracle\product\9.2.0\BIN\ENCSVC.EXE O23 - Service: OracleOra920_DB_homeSNMPPeerMasterAgent - Unknown owner - C:\oracle\product\9.2.0\BIN\AGNTSVC.EXE O23 - Service: OracleOra920_DB_homeTNSListener - Unknown owner - C:\oracle\product\9.2.0\BIN\TNSLSNR.exe O23 - Service: OracleServiceSAI - Oracle Corporation - c:\oracle\product\9.2.0\bin\ORACLE.EXE O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 14843 bytes ################################################### ComboFix log ComboFix 09-02-05.01 - Vipul C. Patel 2009-02-05 22:29:58.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.670 [GMT -5:00] Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Vipul C. Patel\Desktop\CFscript.txt FW: McAfee Personal Firewall Plus *enabled* * Created a new restore point FILE :: c:\windows\system32\gripwca.dll c:\windows\system32\ysohto.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\gripwca.dll c:\windows\system32\ysohto.dll . ((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 ))))))))))))))))))))))))))))))) . 2009-02-05 22:06 . 2009-02-05 22:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\program files\NOS 2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com 2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-02-01 15:07 . 2009-02-01 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin . ((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.45.37.88 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe + 2008-04-23 04:16:30 1,076,642 ----a-w c:\windows\system32\andaapicra.dll - 2005-07-30 18:32:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-02-06 03:03:59 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-04-23 04:16:30 1,813,766 ----a-w c:\windows\system32\nihexe.dll - 2009-02-06 01:17:59 55,614 ----a-w c:\windows\system32\perfc009.dat + 2009-02-06 03:13:53 55,614 ----a-w c:\windows\system32\perfc009.dat - 2009-02-06 01:17:59 388,050 ----a-w c:\windows\system32\perfh009.dat + 2009-02-06 03:13:53 388,050 ----a-w c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264] "VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224] "StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-07-16 452945] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-26 98304] "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016] "PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632] "MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248] "MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2004-10-25 184320] "MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-17 245760] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016] "CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-15 454144] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe] c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\ Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-07-19 221295] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-26 24576] DSW IPSec Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2005-08-08 1425424] Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= Pvmjpg21.dll "VIDC.PIM1"= pclepim1.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "5900:TCP"= 5900:TCP:*:Disabled:VNC "5800:TCP"= 5800:TCP:*:Disabled:vnc2 R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480] R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-05 33752] S3 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944] S3 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328] S3 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096] S3 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248] S3 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152] S3 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392] S3 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent; c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464] S3 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?] S3 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?] UnknownUnknown dsload;dsload; [x] . Contents of the 'Scheduled Tasks' folder 2009-01-23 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (SHANTI-Nirali V. Patel).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe [2004-07-01 15:15] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (D82RQZ71-Administrator).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (D82RQZ71-Administrator).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Administrator).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Administrator).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Meena V. Patel).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Meena V. Patel).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Nirali V. Patel).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Nirali V. Patel).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Patel Family).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Patel Family).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Sohan V. Patel).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Sohan V. Patel).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\McAfee.com\Agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\McAfee.com\Agent [2007-02-21 16:47] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162 DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-05 22:40:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\nihexe.dll 1813766 bytes executable scan completed successfully hidden files: 1 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer] "ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener] "ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR " . ------------------------ Other Running Processes ------------------------ . c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\McAfee.com\PERSON~1\MpfService.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\McAfee.com\Agent\mcagent.exe c:\program files\McAfee.com\Shared\mghtml.exe c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe . ************************************************************************** . Completion time: 2009-02-05 22:46:01 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-06 03:45:58 ComboFix2.txt 2009-02-06 01:46:59 Pre-Run: 59,789,996,032 bytes free Post-Run: 59,781,054,464 bytes free 236 --- E O F --- 2008-06-21 07:00:42 #####################################################

Thanks for the help. I forgot to add in my previous update that I've been running in "Selective Startup" mode restricting certain services not to come up; as McAfee services were hogging the system and not allowing me to login. So I'd opted out few services to come up by using SAFE mode in msconfig. I've now followed your instructions: 1-Installed Recovery Console (the process was not exactly as stated in attached doc; it actually connected to download.microsoft.com and installed Recovery Console-however I do not know where to look for it) 2- Ran the ComboFix scan; uploading the log file below 3- Ran Hijack log and uploading the log file below. Would it be necessary to follow all these steps with all "Startup" and "Services" enabled OR "Normal Startup" mode from msconfig. Thanks again. ###################################### ComboFix log: ComboFix 09-02-05.01 - Vipul C. Patel 2009-02-05 20:43:45.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.704 [GMT -5:00] Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe FW: McAfee Personal Firewall Plus *enabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Downloaded Program Files.\cnsload-3.0.3.406.dll c:\windows\Downloaded Program Files.\cnsload.inf c:\windows\IE4 Error Log.txt c:\windows\system32\bszip.dll c:\windows\system32\iehelper.dll c:\windows\system32\MabryObj.dll F:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 ))))))))))))))))))))))))))))))) . 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com 2009-02-01 15:10 . 2009-02-01 15:10 273,920 --a------ c:\windows\system32\gripwca.dll 2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-02-01 15:07 . 2009-02-01 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog 2009-01-21 02:14 . 2009-01-21 02:14 273,920 --a------ c:\windows\system32\ysohto.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin 2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= Pvmjpg21.dll "VIDC.PIM1"= pclepim1.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk backup=c:\windows\pss\APC UPS Status.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSW IPSec Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSW IPSec Client.lnk backup=c:\windows\pss\DSW IPSec Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Vipul C. Patel^Start Menu^Programs^Startup^Desktop Manager.lnk] path=c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\Desktop Manager.lnk backup=c:\windows\pss\Desktop Manager.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD] --a------ 2006-08-15 17:38 454144 c:\program files\SlySoft\AnyDVD\AnyDVD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] --a------ 2005-05-19 08:47 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2005-12-10 09:57 133016 c:\program files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] --a------ 2004-12-06 01:05 127035 c:\windows\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a------ 2005-01-27 01:02 86016 c:\program files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] --a------ 2004-08-17 18:26 245760 c:\progra~1\McAfee.com\Agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] --a------ 2004-10-25 11:08 184320 c:\progra~1\McAfee.com\Agent\mcupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2006-01-17 13:03 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] --a------ 2006-01-17 13:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe] --a------ 2004-08-22 15:31 1327104 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6600DMon] --a------ 2005-05-25 08:35 69632 c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] --a------ 2004-03-10 15:26 406016 c:\windows\system32\PSDrvCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2005-07-26 02:37 98304 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2005-07-26 02:37 26112 c:\program files\Real\RealPlayer\realplay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2007-04-23 11:43 228088 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper] --a------ 2006-07-16 19:55 452945 c:\program files\Ringz Studio\Storm Codec\StormSet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-05-27 22:09 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] --a------ 2004-08-17 16:55 180224 c:\progra~1\McAfee.com\VSO\mcvsshld.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] --a------ 2004-07-01 15:15 139264 c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WinVNC4"=3 (0x3) "RoxWatch9"=2 (0x2) "RoxMediaDB9"=3 (0x3) "RoxLiveShare9"=2 (0x2) "Roxio Upnp Server 9"=2 (0x2) "Roxio UPnP Renderer 9"=3 (0x3) "ose"=3 (0x3) "OracleServiceSAI"=3 (0x3) "OracleOra920_DB_homeTNSListener"=3 (0x3) "OracleOra920_DB_homeSNMPPeerMasterAgent"=3 (0x3) "OracleOra920_DB_homeSNMPPeerEncapsulator"=3 (0x3) "OracleOra920_DB_homePagingServer"=3 (0x3) "OracleOra920_DB_homeManagementServer"=3 (0x3) "OracleOra920_DB_homeHTTPServer"=3 (0x3) "OracleOra920_DB_homeClientCache"=3 (0x3) "OracleOra920_DB_homeAgent"=3 (0x3) "MpfService"=2 (0x2) "MDM"=2 (0x2) "MCVSRte"=2 (0x2) "mcupdmgr.exe"=3 (0x3) "McShield"=3 (0x3) "gusvc"=3 (0x3) "awhost32"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "5900:TCP"= 5900:TCP:*:Disabled:VNC "5800:TCP"= 5800:TCP:*:Disabled:vnc2 R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480] S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296] S4 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944] S4 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328] S4 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096] S4 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248] S4 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152] S4 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392] S4 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent; c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464] S4 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?] S4 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?] UnknownUnknown dsload;dsload; [x] . Contents of the 'Scheduled Tasks' folder 2009-01-23 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (SHANTI-Nirali V. Patel).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe [2004-07-01 15:15] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (D82RQZ71-Administrator).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (D82RQZ71-Administrator).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Administrator).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Administrator).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Meena V. Patel).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Meena V. Patel).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Nirali V. Patel).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Nirali V. Patel).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Patel Family).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Patel Family).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Sohan V. Patel).job - c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Sohan V. Patel).job - c:\progra~1\mcafee.com\agent [2007-02-21 16:47] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\McAfee.com\Agent\mcupdate.exe [2004-10-25 11:08] 2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job - c:\progra~1\McAfee.com\Agent [2007-02-21 16:47] . - - - - ORPHANS REMOVED - - - - BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162 DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-05 20:45:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer] "ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener] "ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR " . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,d4,81,4d,c1,97, 62,3b,43,e2,63,26,f1,3f,c8,ff,68,9e,09,9a,e8,32,65,44,c6,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,50,63,fc,2a,96, 42,05,e6,6a,9c,d6,61,af,45,84,18,76,63,45,e5,60,c8,9d,b6,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,e2,5c,9f,93,80, 8e,fb,2c,ff,7c,85,e0,43,d4,0e,fe,17,d7,ea,58,2c,fa,f6,27,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,4b,9e,87,3b,8c, 47,7b,57,86,8c,21,01,be,91,eb,e7,c5,54,cf,c2,94,60,df,22,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,99,e5,21,e5,34, fc,04,16,f5,1d,4d,73,a8,13,5c,05,7f,c7,5c,1c,71,fd,98,5a,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,c8,50,0f,0c,1a, 39,78,11,df,20,58,62,78,6b,cf,c8,d6,f0,37,e1,2b,47,26,90,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,23,db,ee,57,32, 19,96,1a,fb,a7,78,e6,12,2f,9a,ea,02,bb,c4,7d,dd,45,eb,e2,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,b3,bd,cb,48,8a, 6c,5e,9e,01,3a,48,fc,e8,04,4a,f1,36,3c,22,4b,16,ce,04,01,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,48,00,ff,11,79, d4,80,bd,f6,0f,4e,58,98,5b,89,c9,3f,ae,13,dd,0d,7d,ce,c6,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,22,8b,ac,d8,02, 64,a3,32,3d,ce,ea,26,2d,45,aa,78,9c,ec,1c,8c,91,30,0f,fc,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,45,54,ad,7f,46, dc,23,2a,2a,b7,cc,b5,b9,7f,41,e7,73,44,fa,3e,e4,9e,d7,88,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,55,4a,29,8c,a2, 91,4e,f4,6c,43,2d,1e,aa,22,2f,9c,8c,f1,f7,82,15,bf,09,7a,6c,43,2d,1e,aa,22,\ . Completion time: 2009-02-05 20:46:58 ComboFix-quarantined-files.txt 2009-02-06 01:46:46 Pre-Run: 60,033,466,368 bytes free Post-Run: 60,167,045,120 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 330 --- E O F --- 2008-06-21 07:00:42 ################################ HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:00:22 PM, on 2/5/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O1 - Hosts: 172.16.0.17 oracle2.lifedata.ldl oracle2 O1 - Hosts: 172.16.0.20 oracle1.lifedata.ldl oracle1 O1 - Hosts: 172.16.0.23 rman.lifedata.ldl rman O1 - Hosts: 172.16.0.13 oracle3.lifedata.ldl oracle3 O1 - Hosts: 24.126.168.138 fynda.getmyip.com gloryto3.domain linux1.domain newman.domain O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437 O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162 O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 9407 bytes #########################################

Hi- Few days ago my computer was infected by Spyware Protect 2009. On researching; I'd removed AcScan and sysguard entries from registry and sysguard.exe from c:\windows folder. I still suspect that there are remnants of this infection. I'm uploading MBAM log and HJT log. Can anybody please take a look at MBAM log and advice on how to fix and/or not to fix 5 objects reported by MBAM. Thanks a lot. MBAM log ###################### Malwarebytes' Anti-Malware 1.33 Database version: 1730 Windows 5.1.2600 Service Pack 2 2/5/2009 8:46:33 AM mbam-log-2009-02-05 (08-46-22).txt Scan type: Quick Scan Objects scanned: 74126 Time elapsed: 6 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> No action taken. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> No action taken. #################### HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:54:24 AM, on 2/5/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SecCopy\SecCopy.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\hh.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\TextPad 4\TextPad.exe C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/? LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/? LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/? LinkId=69157 O1 - Hosts: 172.16.0.17 oracle2.lifedata.ldl oracle2 O1 - Hosts: 172.16.0.20 oracle1.lifedata.ldl oracle1 O1 - Hosts: 172.16.0.23 rman.lifedata.ldl rman O1 - Hosts: 172.16.0.13 oracle3.lifedata.ldl oracle3 O1 - Hosts: 24.126.168.138 fynda.getmyip.com gloryto3.domain linux1.domain newman.domain O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1 \SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo! \Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32 \dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0 \bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1 \mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 \Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti- Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" - scheduler O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32 \GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11 \EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy -WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy- WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy- WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy- WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0 \bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo! \Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11 \REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1 \SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200- 58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo! \Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437 O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162 O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32 \nvsvc32.exe -- End of file - 9896 bytes ####################################