Removing Spyware Protect 2009- MBAM log and HJT logs

[sohnir]

Hi-

Few days ago my computer was infected by Spyware Protect 2009. On researching; I'd removed AcScan and sysguard entries from registry and sysguard.exe from c:\windows folder.

I still suspect that there are remnants of this infection. I'm uploading MBAM log and HJT log.

Can anybody please take a look at MBAM log and advice on how to fix and/or not to fix 5 objects reported by MBAM.

Thanks a lot.

MBAM log

######################

Malwarebytes' Anti-Malware 1.33

Database version: 1730

Windows 5.1.2600 Service Pack 2

2/5/2009 8:46:33 AM

mbam-log-2009-02-05 (08-46-22).txt

Scan type: Quick Scan

Objects scanned: 74126

Time elapsed: 6 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> No action taken.

####################

HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:54:24 AM, on 2/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SecCopy\SecCopy.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\hh.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\TextPad 4\TextPad.exe

C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?

LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?

LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?

LinkId=69157

O1 - Hosts: 172.16.0.17 oracle2.lifedata.ldl oracle2

O1 - Hosts: 172.16.0.20 oracle1.lifedata.ldl oracle1

O1 - Hosts: 172.16.0.23 rman.lifedata.ldl rman

O1 - Hosts: 172.16.0.13 oracle3.lifedata.ldl oracle3

O1 - Hosts: 24.126.168.138 fynda.getmyip.com gloryto3.domain linux1.domain newman.domain

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!

\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32

\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0

\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar4.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1

\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0

\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar4.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program

Files\Canon_6600D\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"

-start

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-

Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -

scheduler

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32

\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11

\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy

-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-

WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-

WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-

WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0

\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!

\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11

\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-

58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!

\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) -

http://picasaweb.google.com/s/v/33.06/uploader2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...b?1173584011437

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -

http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) -

http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -

http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -

O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -

http://atloradisp01.iss.net:7778/jinitiator/jinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) -

http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer =

68.87.68.162,68.87.74.162

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC

PowerChute Personal Edition\mainserv.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco

Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program

Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32

\nvsvc32.exe

--

End of file - 9896 bytes

####################################

[AdvancedSetup]

Please open NOTEPAD and on the FORMAT menu turn off Word Wrap

Then run this please.

Please visit this webpage for instructions for downloading ComboFix to your

DESKTOP

:

how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run

ComboFix.exe

on your DESKTOP and not from any other folder.

Also,

DO NOT

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Note:

The

Windows Recovery Console

will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click
  Yes
  to allow ComboFix to continue scanning for malware.
  
  
• When the tool is finished, it will produce a report for you.
  
  
• Please post the
  C:\ComboFix.txt
  along with a
  new HijackThis log
  so we may continue cleaning the system.
  
  

[sohnir]

Thanks for the help.

I forgot to add in my previous update that I've been running in "Selective Startup" mode restricting certain services not to come up; as McAfee services were hogging the system and not allowing me to login. So I'd opted out few services to come up by using SAFE mode in msconfig.

I've now followed your instructions:

1-Installed Recovery Console (the process was not exactly as stated in attached doc; it actually connected to download.microsoft.com and installed Recovery Console-however I do not know where to look for it)

2- Ran the ComboFix scan; uploading the log file below

3- Ran Hijack log and uploading the log file below.

Would it be necessary to follow all these steps with all "Startup" and "Services" enabled OR "Normal Startup" mode from msconfig.

Thanks again.

######################################

ComboFix log:

ComboFix 09-02-05.01 - Vipul C. Patel 2009-02-05 20:43:45.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.704 [GMT -5:00]

Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe

FW: McAfee Personal Firewall Plus *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files.\cnsload-3.0.3.406.dll

c:\windows\Downloaded Program Files.\cnsload.inf

c:\windows\IE4 Error Log.txt

c:\windows\system32\bszip.dll

c:\windows\system32\iehelper.dll

c:\windows\system32\MabryObj.dll

F:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))

.

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com

2009-02-01 15:10 . 2009-02-01 15:10 273,920 --a------ c:\windows\system32\gripwca.dll

2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-01 15:07 . 2009-02-01 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog

2009-01-21 02:14 . 2009-01-21 02:14 273,920 --a------ c:\windows\system32\ysohto.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin

2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

"nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg21.dll

"VIDC.PIM1"= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk

backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSW IPSec Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSW IPSec Client.lnk

backup=c:\windows\pss\DSW IPSec Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Vipul C. Patel^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

--a------ 2006-08-15 17:38 454144 c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

--a------ 2005-05-19 08:47 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2005-12-10 09:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

--a------ 2004-12-06 01:05 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

--a------ 2005-01-27 01:02 86016 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

--a------ 2004-08-17 18:26 245760 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

--a------ 2004-10-25 11:08 184320 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

--a------ 2006-01-17 13:03 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

--a------ 2006-01-17 13:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

--a------ 2004-08-22 15:31 1327104 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6600DMon]

--a------ 2005-05-25 08:35 69632 c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

--a------ 2004-03-10 15:26 406016 c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2005-07-26 02:37 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

--a------ 2005-07-26 02:37 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

--a------ 2007-04-23 11:43 228088 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper]

--a------ 2006-07-16 19:55 452945 c:\program files\Ringz Studio\Storm Codec\StormSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-05-27 22:09 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

--a------ 2004-08-17 16:55 180224 c:\progra~1\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

--a------ 2004-07-01 15:15 139264 c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WinVNC4"=3 (0x3)

"RoxWatch9"=2 (0x2)

"RoxMediaDB9"=3 (0x3)

"RoxLiveShare9"=2 (0x2)

"Roxio Upnp Server 9"=2 (0x2)

"Roxio UPnP Renderer 9"=3 (0x3)

"ose"=3 (0x3)

"OracleServiceSAI"=3 (0x3)

"OracleOra920_DB_homeTNSListener"=3 (0x3)

"OracleOra920_DB_homeSNMPPeerMasterAgent"=3 (0x3)

"OracleOra920_DB_homeSNMPPeerEncapsulator"=3 (0x3)

"OracleOra920_DB_homePagingServer"=3 (0x3)

"OracleOra920_DB_homeManagementServer"=3 (0x3)

"OracleOra920_DB_homeHTTPServer"=3 (0x3)

"OracleOra920_DB_homeClientCache"=3 (0x3)

"OracleOra920_DB_homeAgent"=3 (0x3)

"MpfService"=2 (0x2)

"MDM"=2 (0x2)

"MCVSRte"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"McShield"=3 (0x3)

"gusvc"=3 (0x3)

"awhost32"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5900:TCP"= 5900:TCP:*:Disabled:VNC

"5800:TCP"= 5800:TCP:*:Disabled:vnc2

R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480]

S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296]

S4 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944]

S4 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328]

S4 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096]

S4 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248]

S4 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152]

S4 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato

r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392]

S4 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent;

c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464]

S4 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?]

S4 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?]

UnknownUnknown dsload;dsload; [x]

.

Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (SHANTI-Nirali V. Patel).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2004-07-01 15:15]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (D82RQZ71-Administrator).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (D82RQZ71-Administrator).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Administrator).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Administrator).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Meena V. Patel).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Meena V. Patel).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Nirali V. Patel).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Nirali V. Patel).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Patel Family).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Patel Family).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Sohan V. Patel).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Sohan V. Patel).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\McAfee.com\Agent [2007-02-21 16:47]

.

- - - - ORPHANS REMOVED - - - -

BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab

DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe

DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-05 20:45:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer]

"ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener]

"ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR "

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,d4,81,4d,c1,97,

62,3b,43,e2,63,26,f1,3f,c8,ff,68,9e,09,9a,e8,32,65,44,c6,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,50,63,fc,2a,96,

42,05,e6,6a,9c,d6,61,af,45,84,18,76,63,45,e5,60,c8,9d,b6,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,e2,5c,9f,93,80,

8e,fb,2c,ff,7c,85,e0,43,d4,0e,fe,17,d7,ea,58,2c,fa,f6,27,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,4b,9e,87,3b,8c,

47,7b,57,86,8c,21,01,be,91,eb,e7,c5,54,cf,c2,94,60,df,22,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,99,e5,21,e5,34,

fc,04,16,f5,1d,4d,73,a8,13,5c,05,7f,c7,5c,1c,71,fd,98,5a,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,c8,50,0f,0c,1a,

39,78,11,df,20,58,62,78,6b,cf,c8,d6,f0,37,e1,2b,47,26,90,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,23,db,ee,57,32,

19,96,1a,fb,a7,78,e6,12,2f,9a,ea,02,bb,c4,7d,dd,45,eb,e2,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,b3,bd,cb,48,8a,

6c,5e,9e,01,3a,48,fc,e8,04,4a,f1,36,3c,22,4b,16,ce,04,01,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,48,00,ff,11,79,

d4,80,bd,f6,0f,4e,58,98,5b,89,c9,3f,ae,13,dd,0d,7d,ce,c6,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,22,8b,ac,d8,02,

64,a3,32,3d,ce,ea,26,2d,45,aa,78,9c,ec,1c,8c,91,30,0f,fc,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,45,54,ad,7f,46,

dc,23,2a,2a,b7,cc,b5,b9,7f,41,e7,73,44,fa,3e,e4,9e,d7,88,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,55,4a,29,8c,a2,

91,4e,f4,6c,43,2d,1e,aa,22,2f,9c,8c,f1,f7,82,15,bf,09,7a,6c,43,2d,1e,aa,22,\

.

Completion time: 2009-02-05 20:46:58

ComboFix-quarantined-files.txt 2009-02-06 01:46:46

Pre-Run: 60,033,466,368 bytes free

Post-Run: 60,167,045,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

330 --- E O F --- 2008-06-21 07:00:42

################################

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:00:22 PM, on 2/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 172.16.0.17 oracle2.lifedata.ldl oracle2

O1 - Hosts: 172.16.0.20 oracle1.lifedata.ldl oracle1

O1 - Hosts: 172.16.0.23 rman.lifedata.ldl rman

O1 - Hosts: 172.16.0.13 oracle3.lifedata.ldl oracle3

O1 - Hosts: 24.126.168.138 fynda.getmyip.com gloryto3.domain linux1.domain newman.domain

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -

O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9407 bytes

#########################################

[AdvancedSetup]

STEP 1

Yes, please start MSCONFIG and set it to NORMAL mode please.

STEP 2

I'm assuming you set those HOSTS file entries and the 017 DNS entries if not let me know as they'll then need to be removed.

STEP 3

You need to update your Adobe Acrobat, at least install the version 9 reader and set it as the default.

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

STEP 4

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location and post it back when you reply
  

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

STEP 5

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\system32\gripwca.dll
c:\windows\system32\ysohto.dll


RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.
  

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

STEP 6

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

[sohnir]

Thanks for the quick response and advice.

I've followed the following steps as instructed; but missed to remove all JAVA as noted in step-3 below

1- Restarted in Normal MSCONFIG mode

2- The hosts file entries are good; I need to access them.

3- Upgraded to Adobe reader 9

4- De-installed JRE 6 and executed JavaRa to remove all JAVA. However; I missed to delete all JAVA folders that you mentioned at this step. However, I did remove them after step-5 below. Not sure; whether it is impacting the run for ComboFix or not.

Also, I've few installations of JInitiator; they are plugins for to access Oracle Applications forms via Browser. Do I need to de-install them as well?

I'm assumming you'll advice me to install a latest and safer version of JAVA at the end of this exercise.

5- Run ComboFix; in the middle the computer rebooted. While on its way to reboot; it complained the following with Windows error message:

--------------------------------

NirCmd.cfexe - DLL Initialization failed

The application failed to initialize because the window station is shutting down

--------------------------------

I ignored this message for few seconds and it went away and it sucessfully rebooted; finished the rest of the steps for ComboFix and produced a log. I'll paste the log at the end of this update. Does this error message indicate something. Is it dangerous?

Here I realize I missed the steps to delete the JAVA folders; I now remove them.

6- I ran Malwarebytes Anti-Malware; I'll paste the logs below.

7- Re-start the computer and produce HJ logs

8- As a part of running ComboFix for the 1st time; I was adviced to DISABLE firewall; I'd then disable Windows firewall. Should I re-enable it again?

Thanks.

##############################################

MBAM logs

Malwarebytes' Anti-Malware 1.33

Database version: 1733

Windows 5.1.2600 Service Pack 2

2/5/2009 11:07:02 PM

mbam-log-2009-02-05 (23-07-02).txt

Scan type: Quick Scan

Objects scanned: 72354

Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

###############################################

HJT logs

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:12:56 PM, on 2/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\SecCopy\SecCopy.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\TextPad 4\TextPad.exe

C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -

O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleOra920_DB_homeAgent - Oracle Corporation - C:\oracle\product\9.2.0\bin\agntsrvc.exe

O23 - Service: OracleOra920_DB_homeClientCache - Unknown owner - C:\oracle\product\9.2.0\BIN\ONRSD.EXE

O23 - Service: OracleOra920_DB_homeHTTPServer - Unknown owner - C:\oracle\product\9.2.0\Apache\Apache\apache.exe

O23 - Service: OracleOra920_DB_homeManagementServer - Unknown owner - C:\oracle\product\9.2.0\bin\OMSNTsrv.exe

O23 - Service: OracleOra920_DB_homePagingServer - Unknown owner - C:\oracle\product\9.2.0/bin/pagntsrv.exe

O23 - Service: OracleOra920_DB_homeSNMPPeerEncapsulator - Unknown owner - C:\oracle\product\9.2.0\BIN\ENCSVC.EXE

O23 - Service: OracleOra920_DB_homeSNMPPeerMasterAgent - Unknown owner - C:\oracle\product\9.2.0\BIN\AGNTSVC.EXE

O23 - Service: OracleOra920_DB_homeTNSListener - Unknown owner - C:\oracle\product\9.2.0\BIN\TNSLSNR.exe

O23 - Service: OracleServiceSAI - Oracle Corporation - c:\oracle\product\9.2.0\bin\ORACLE.EXE

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 14843 bytes

###################################################

ComboFix log

ComboFix 09-02-05.01 - Vipul C. Patel 2009-02-05 22:29:58.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.670 [GMT -5:00]

Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Vipul C. Patel\Desktop\CFscript.txt

FW: McAfee Personal Firewall Plus *enabled*

* Created a new restore point

FILE ::

c:\windows\system32\gripwca.dll

c:\windows\system32\ysohto.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\gripwca.dll

c:\windows\system32\ysohto.dll

.

((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))

.

2009-02-05 22:06 . 2009-02-05 22:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\program files\NOS

2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com

2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-01 15:07 . 2009-02-01 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin

.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.45.37.88 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe

+ 2008-04-23 04:16:30 1,076,642 ----a-w c:\windows\system32\andaapicra.dll

- 2005-07-30 18:32:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-06 03:03:59 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-04-23 04:16:30 1,813,766 ----a-w c:\windows\system32\nihexe.dll

- 2009-02-06 01:17:59 55,614 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-06 03:13:53 55,614 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-06 01:17:59 388,050 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-06 03:13:53 388,050 ----a-w c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224]

"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-07-16 452945]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-26 98304]

"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

"PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2004-10-25 184320]

"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-17 245760]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-15 454144]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

"nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\

Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-07-19 221295]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-26 24576]

DSW IPSec Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2005-08-08 1425424]

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg21.dll

"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5900:TCP"= 5900:TCP:*:Disabled:VNC

"5800:TCP"= 5800:TCP:*:Disabled:vnc2

R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480]

R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-05 33752]

S3 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944]

S3 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328]

S3 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096]

S3 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248]

S3 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152]

S3 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato

r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392]

S3 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent;

c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464]

S3 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?]

S3 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?]

UnknownUnknown dsload;dsload; [x]

.

Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (SHANTI-Nirali V. Patel).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2004-07-01 15:15]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (D82RQZ71-Administrator).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (D82RQZ71-Administrator).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Administrator).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Administrator).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Meena V. Patel).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Meena V. Patel).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Nirali V. Patel).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Nirali V. Patel).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Patel Family).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Patel Family).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Sohan V. Patel).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Sohan V. Patel).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\McAfee.com\Agent [2007-02-21 16:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab

DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe

DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-05 22:40:06

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\nihexe.dll 1813766 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer]

"ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener]

"ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR "

.

------------------------ Other Running Processes ------------------------

.

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\McAfee.com\PERSON~1\MpfService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\McAfee.com\Agent\mcagent.exe

c:\program files\McAfee.com\Shared\mghtml.exe

c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe

c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

.

**************************************************************************

.

Completion time: 2009-02-05 22:46:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-06 03:45:58

ComboFix2.txt 2009-02-06 01:46:59

Pre-Run: 59,789,996,032 bytes free

Post-Run: 59,781,054,464 bytes free

236 --- E O F --- 2008-06-21 07:00:42

#####################################################

[AdvancedSetup]

Okay a few more things and hopefully we should be done.

Please take a look in Control Panel, Scheduled Tasks and remove all the tasks. If you need any of them you can recreate them later on.

STEP 1

Download but do not yet run ComboFix

Please delete your previous version of Combofix.exe, and download a NEW fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\system32\andaapicra.dll
c:\windows\system32\nihexe.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click Format and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: CFscript.txt .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.
  

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

STEP 2

• Download FixPolicies.exe by Bill Castner and save it to your desktop.
  
• Double click on FixPolicies.exe to run it.
  
• Click on Install. It will create a folder named FixPolicies on your desktop.
  
• Open the FixPolicies folder.
  
• Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  
• Reboot your computer after it runs
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  
• Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.
  

STEP 3

Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

STEP 4

Download and install CCleaner
• CCleaner
  
• Double-click on the downloaded file "ccsetup216.exe" and install the application.
  
• Keep the default installation folder "C:\Program Files\CCleaner"
  
• Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  
• Click finish when done and close ALL PROGRAMS
  
• Start the CCleaner program.
  
• Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  
• Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  
• Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  
• Click on Run Cleaner button on the bottom right side of the program.
  
• Click OK to any prompts
  

STEP 5

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

[sohnir]

Hi-

I've followed all the steps as instructed and here are all the logs.

Curious questions and notes:

1- Are we going to re-install new JAVA at the end?

2- In one of the steps; when the computer rebooted; it reported Windows Explorer terminated with error (standard Microsoft message if you want to report to MS).

3- What did we do in steps 2 and 3?

4- Step 4 cleaned up about 148 MB of files...

Thanks again.

###################################

MBAM log

Malwarebytes' Anti-Malware 1.33

Database version: 1733

Windows 5.1.2600 Service Pack 2

2/6/2009 9:14:57 AM

mbam-log-2009-02-06 (09-14-57).txt

Scan type: Quick Scan

Objects scanned: 72215

Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

############################

HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:20:38 AM, on 2/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SecCopy\SecCopy.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\TextPad 4\TextPad.exe

C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -

O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleOra920_DB_homeAgent - Oracle Corporation - C:\oracle\product\9.2.0\bin\agntsrvc.exe

O23 - Service: OracleOra920_DB_homeClientCache - Unknown owner - C:\oracle\product\9.2.0\BIN\ONRSD.EXE

O23 - Service: OracleOra920_DB_homeHTTPServer - Unknown owner - C:\oracle\product\9.2.0\Apache\Apache\apache.exe

O23 - Service: OracleOra920_DB_homeManagementServer - Unknown owner - C:\oracle\product\9.2.0\bin\OMSNTsrv.exe

O23 - Service: OracleOra920_DB_homePagingServer - Unknown owner - C:\oracle\product\9.2.0/bin/pagntsrv.exe

O23 - Service: OracleOra920_DB_homeSNMPPeerEncapsulator - Unknown owner - C:\oracle\product\9.2.0\BIN\ENCSVC.EXE

O23 - Service: OracleOra920_DB_homeSNMPPeerMasterAgent - Unknown owner - C:\oracle\product\9.2.0\BIN\AGNTSVC.EXE

O23 - Service: OracleOra920_DB_homeTNSListener - Unknown owner - C:\oracle\product\9.2.0\BIN\TNSLSNR.exe

O23 - Service: OracleServiceSAI - Oracle Corporation - c:\oracle\product\9.2.0\bin\ORACLE.EXE

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 14842 bytes

##################################

ComboFix log

[sohnir]

Forgot to paste ComboFix log...here it is ...

##########################

ComboFix 09-02-05.02 - Vipul C. Patel 2009-02-06 8:27:31.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.647 [GMT -5:00]

Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Vipul C. Patel\Desktop\CFscript.txt

FW: McAfee Personal Firewall Plus *enabled*

* Created a new restore point

FILE ::

c:\windows\system32\andaapicra.dll

c:\windows\system32\nihexe.dll

.

((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))

.

2009-02-05 22:06 . 2009-02-05 22:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\program files\NOS

2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com

2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-01 15:07 . 2009-02-01 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin

.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.45.37.88 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe

- 2005-07-30 18:32:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-06 03:03:59 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-04-23 04:16:30 1,485,156 ----a-w c:\windows\system32\foswinas.dll

- 2009-02-06 01:17:59 55,614 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-06 13:23:04 55,614 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-06 01:17:59 388,050 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-06 13:23:04 388,050 ----a-w c:\windows\system32\perfh009.dat

+ 2008-04-23 04:16:30 1,959,551 ----a-w c:\windows\system32\poperrerr.dll

+ 2008-04-23 04:16:30 1,157,166 ----a-w c:\windows\system32\togeco.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224]

"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-07-16 452945]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-26 98304]

"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

"PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2004-10-25 184320]

"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-17 245760]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-15 454144]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

"nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\

Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-07-19 221295]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-26 24576]

DSW IPSec Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2005-08-08 1425424]

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg21.dll

"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5900:TCP"= 5900:TCP:*:Disabled:VNC

"5800:TCP"= 5800:TCP:*:Disabled:vnc2

R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480]

R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-05 33752]

S3 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944]

S3 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328]

S3 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096]

S3 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248]

S3 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152]

S3 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato

r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392]

S3 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent;

c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464]

S3 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?]

S3 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?]

UnknownUnknown dsload;dsload; [x]

.

Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-06 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab

DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe

DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-06 08:41:39

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\togeco.dll 1157166 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer]

"ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener]

"ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR "

.

------------------------ Other Running Processes ------------------------

.

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\McAfee.com\PERSON~1\MpfService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\program files\McAfee.com\Agent\mcagent.exe

c:\program files\McAfee.com\Shared\mghtml.exe

c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe

c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

.

**************************************************************************

.

Completion time: 2009-02-06 8:46:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-06 13:46:45

ComboFix2.txt 2009-02-06 03:46:02

ComboFix3.txt 2009-02-06 01:46:59

Pre-Run: 59,755,712,512 bytes free

Post-Run: 59,745,042,432 bytes free

206 --- E O F --- 2008-06-21 07:00:42

#########################

[AdvancedSetup]

1- Are we going to re-install new JAVA at the end?

Yes we will remove tools used and put back software as needed

2- In one of the steps; when the computer rebooted; it reported Windows Explorer terminated with error (standard Microsoft message if you want to report to MS).

Probably not an issue unless it does it on every reboot

3- What did we do in steps 2 and 3?

Often Malware disables tools and methods to repair the system by disabling your rights to run them via a policy in the Registry, these tools simply went through and attempted to remove those policies so that you can run the tools or view certain features.

4- Step 4 cleaned up about 148 MB of files...

That good, cleaned a lot of useless junk as well. I've seen some users gain back a couple Gigabytes of disk space with it before

Well I was hoping we'd be done now, but another hidden DLL file showed up in the scan which is a bit odd.

Please run the Combofix again as shown.

STEP 1

Download but do not yet run ComboFix

Please delete your previous version of Combofix.exe, and download a NEW fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\system32\togeco.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click Format and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: CFscript.txt .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.
  

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

STEP 2

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• Check Turn off System Restore.
  
• Click Apply, and then click OK.
  
• Reboot.
  

Turn ON System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• UN-Check *Turn off System Restore*.
  
• Click Apply, and then click OK.
  

This will remove all restore points except the new one you just created.

STEP 3

Download Dr Web and then disable your McAfee Anti-Virus and run the Dr Web as shown.

The directions might be off just a little but it should be close.

Download to the desktop: Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  
• Back at the main window, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
  

STEP 4

Reboot the computer when it's done and then run this program, first making sure ALL other programs are shut down.

Please download the following scanning tool. GMER

• Open the zip file and copy the file
  gmer.exe
  to your Desktop.
• Double click on
  gmer.exe
  and run it.
  
  
• It may take a minute to load and become available.
  
  
• Do not make any changes. Click on the
  SCAN
  button and DO NOT use the computer while it's scanning.
  
  
• Once the scan is done click on the
  SAVE
  button and browse to your Desktop and save the file as
  GMER.LOG
  
  
• Zip up the
  GMER.LOG
  file and save it as
  gmerlog.zip
  and attach it to your reply post.
  
  
• DO NOT
  directly post this log into a reply. You
  MUST
  attach it as a .ZIP file.
  
  
• Click OK and quit the GMER program.
  
  

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

[sohnir]

Hi-

Thanks for all your help.

I've followed all the steps and here are my observations; 2 attachments are with this upload.

1- ComboFix run details..

At about Stage-1 or 2; standard Windows error message popped up. I did not touch the window message and it went away after a while.

============================

explorer.exe - Application error

The exception unknown software (0x000000fd) occured in te application at location 0x00d7e9ae

Click on OK to terminate the program

Click on CANCEL to debug the program

=============================

After stage 50 when rebooting windows in ComboFix; the following Windows error message popped up. This is the 2nd time that this command failed. I did not touch the error message and went away while ComboFix reboot.

=============================

NirCmd.cfexe - DDL Initialization failed

The application failed to initialize because the window station is shutting down

=============================

ComboFix reboot took a very long time; the blank screen stayed there for quite some time; with no DISK activity. It took the same long time last time when I ran ComboFix. Even though with no disk activity; it does reboot successfully though and produce the logs at the end.

2- Dr.Web CureIt run.

It took about 4 hrs to complete this run; after it completed it took about 10min to reboot the computer.

Internet Explorer performance took a deep dive (extremely slow) after Dr. CureIt run. I'm attaching the CSV and the spreadsheet report produced by this run.

3- GMER run

Attached the LOG file in ZIP format.

4- Observations..

After Dr. WebCureIT run; I've observed the following after few tests:

If I reboot the system over and over again without using any programs; the system reboot will happen right away.

But If I use any programs say IE (visit few sites) and then reboot; along with system performance degradation, the reboot/shutdown is taking extremely long time; something seems to be wrong. The desktop freezes and I cannot open any programs after the reboot/shutdown command is given.

If I try to open an explorer (or any program for that matter) during this freeze period; it will complain; explorer.exe - DLL Initialization failed. The application failed to initialize because the window station is shutting down.

Even CTL+ALT+DEL or bringing up TASK MANAGER does not work at this point

Following are the logs

###############################

ComboFix log

ComboFix 09-02-06.04 - Vipul C. Patel 2009-02-07 12:02:43.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.662 [GMT -5:00]

Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Vipul C. Patel\Desktop\CFscript.txt

FW: McAfee Personal Firewall Plus *enabled*

* Created a new restore point

FILE ::

c:\windows\system32\togeco.dll

.

((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 )))))))))))))))))))))))))))))))

.

2009-02-06 09:03 . 2009-02-06 09:03 <DIR> d-------- c:\program files\CCleaner

2009-02-05 22:06 . 2009-02-05 22:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\program files\NOS

2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com

2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-01 15:07 . 2009-02-06 09:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin

.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.45.37.88 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe

+ 2008-04-23 04:16:30 1,977,567 ----a-w c:\windows\system32\apiherrdo.dll

+ 2008-04-23 04:16:30 1,259,072 ----a-w c:\windows\system32\apijmhdo.dll

- 2005-07-30 18:32:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-06 03:03:59 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-04-23 04:16:30 1,458,783 ----a-w c:\windows\system32\cracrapow.dll

+ 2008-04-23 04:16:30 1,066,004 ----a-w c:\windows\system32\ehapicra.dll

+ 2008-04-23 04:16:30 2,021,802 ----a-w c:\windows\system32\evwasudo.dll

+ 2008-04-23 04:16:30 2,130,709 ----a-w c:\windows\system32\foexetfo.dll

+ 2008-04-23 04:16:30 1,485,156 ----a-w c:\windows\system32\foswinas.dll

+ 2008-04-23 04:16:30 1,970,778 ----a-w c:\windows\system32\gapiwidll.dll

- 2009-02-06 01:17:59 55,614 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-07 17:08:43 55,614 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-06 01:17:59 388,050 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-07 17:08:43 388,050 ----a-w c:\windows\system32\perfh009.dat

+ 2008-04-23 04:16:30 1,494,689 ----a-w c:\windows\system32\petebxlin.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224]

"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-07-16 452945]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-26 98304]

"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

"PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2004-10-25 184320]

"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-17 245760]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-15 454144]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

"nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\

Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-07-19 221295]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-26 24576]

DSW IPSec Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2005-08-08 1425424]

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg21.dll

"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5900:TCP"= 5900:TCP:*:Disabled:VNC

"5800:TCP"= 5800:TCP:*:Disabled:vnc2

R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480]

R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-05 33752]

S3 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944]

S3 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328]

S3 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096]

S3 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248]

S3 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152]

S3 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato

r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392]

S3 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent;

c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464]

S3 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?]

S3 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?]

UnknownUnknown dsload;dsload; [x]

.

Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-07 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab

DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe

DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-07 12:19:01

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\ehapicra.dll 1066004 bytes executable

c:\windows\system32\foexetfo.dll 2130709 bytes executable

scan completed successfully

hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer]

"ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener]

"ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR "

.

------------------------ Other Running Processes ------------------------

.

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\McAfee.com\PERSON~1\MpfService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\program files\McAfee.com\Agent\mcagent.exe

c:\program files\McAfee.com\Shared\mghtml.exe

c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe

c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

.

**************************************************************************

.

Completion time: 2009-02-07 12:24:05 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-07 17:24:03

ComboFix2.txt 2009-02-06 13:46:48

ComboFix3.txt 2009-02-06 03:46:02

ComboFix4.txt 2009-02-06 01:46:59

Pre-Run: 59,848,007,680 bytes free

Post-Run: 59,829,149,696 bytes free

215 --- E O F --- 2008-06-21 07:00:42

##########################

HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:48:14 PM, on 2/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SecCopy\SecCopy.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -

O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleOra920_DB_homeAgent - Oracle Corporation - C:\oracle\product\9.2.0\bin\agntsrvc.exe

O23 - Service: OracleOra920_DB_homeClientCache - Unknown owner - C:\oracle\product\9.2.0\BIN\ONRSD.EXE

O23 - Service: OracleOra920_DB_homeHTTPServer - Unknown owner - C:\oracle\product\9.2.0\Apache\Apache\apache.exe

O23 - Service: OracleOra920_DB_homeManagementServer - Unknown owner - C:\oracle\product\9.2.0\bin\OMSNTsrv.exe

O23 - Service: OracleOra920_DB_homePagingServer - Unknown owner - C:\oracle\product\9.2.0/bin/pagntsrv.exe

O23 - Service: OracleOra920_DB_homeSNMPPeerEncapsulator - Unknown owner - C:\oracle\product\9.2.0\BIN\ENCSVC.EXE

O23 - Service: OracleOra920_DB_homeSNMPPeerMasterAgent - Unknown owner - C:\oracle\product\9.2.0\BIN\AGNTSVC.EXE

O23 - Service: OracleOra920_DB_homeTNSListener - Unknown owner - C:\oracle\product\9.2.0\BIN\TNSLSNR.exe

O23 - Service: OracleServiceSAI - Oracle Corporation - c:\oracle\product\9.2.0\bin\ORACLE.EXE

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--

End of file - 14696 bytes

#######################################

Attachments uploaded are:

1- DrWeb_07feb09_01_xls.zip - this has 2 worksheets, one with CSV data and the other has formatted data

2- GMER_LOG.zip

Please let me know if you have problems viewing these attachments.

Thanks again.

GMER_LOG.zip

DrWeb_07feb09_01_xls.zip

GMER_LOG.zip

DrWeb_07feb09_01_xls.zip

[AdvancedSetup]

Please delete the current copy of Combofix.exe and download a new fresh copy to the desktop.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Then disconnect this computer from the Network and do not use any flash drives to transfer data without protecting them.

Something is re-infecting the computer. It needs to be isolated and cleaned before it can get back on the network.

You can take a flash drive and format it as NTFS then create an autorun.inf file on the root of the drive and put a read only attribute on it. Then set the permissions to DENY ACCESS for everyone. Then you can use that flash drive to copy data if needed. Otherwise using a burned CD should be the only way to transfer data.

Please uninstall DAEMON Tools and the SPTD file from the system. Then I highly suggest using this Avira CD to scan and fix the system. If you can't burn it then see if you can use a friends computer or a work computer to create this CD.

Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.

At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.

Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

Avira AntiVir Rescue System - download

Avira AntiVir Rescue System
Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:





• repair a damaged system,
• rescue data,
  
  
• scan the system for virus infections.

  
  Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
  The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.
  

Rescue CD screen resolution problem

Please see the post here if you're unable to view the entire screen of Avira.

After the Avira CD has run then start the computer and run the Combofix again and post that log.

[sohnir]

Thanks.

I'm little confused on the steps instructed. Do you want me to create both the CD and the flash drive?

I'm listing the steps below, see if that is what you want me to do?

1- Delete the current ComboFix.exe and get a new one.

2- Disconnect from the network.

3- De-install DAEMON Tools?

3a- I'm not sure what SPDT file is? Can you please help me here?

3- I've already created the Avira AntiVir Rescue CD. Do you want me to boot from that CD? If yes, will this run Avira AnitVir Rescue program automatically after boot or do I need to invoke that from the CD?

4- If you're asking me to boot from the hard drive; are you asking me to run the program manually from the Avira CD? Which program do I click to invoke the Avira Anti-Virus CD?

5- I've made a note of the resolution problem. If that happens the moderator there recommends running the following command from the command line. If that happens; do I need to switch to any folder within the command prompt to invoke antivir program?

antivir --allfiles -z -ren /mnt/

Thanks again.

[AdvancedSetup]

SPTD is part of the Daemon Tools and should be removed when you uninstall Daemon Tools.

For now just burn the CD and boot from it and have it scan for Virus and Malware and we'll see what else we need to do after that.

But keep it off of the network from other computers as it seems that it appears to be getting re-infected.

[sohnir]

Thanks.

I ran the Avira AntiVir Rescue CD; but did not check "Try to Repair Infected files" and "Rename fils if they cannot be removed?"...so it completed the SCAN in about 3hrs...

As you mentioned; there is not way to capture the complete log; I captured the following main excerpt and the last main lines which looked suspicious. Please take a look...

Also, I'm now running the SCAN again; with those 2 options check to repair/move infected files? You wanted me to check those options, correct?

##################################################

09feb09 - Avira AntiVir Rescue CD run...

Scanned files: 168,249

Scanned directories: 18,148

Required time: 03:13:27

Records: 23

Suspect files: 0

Warnings: 18

Information/_restore{46DE8921-1D39-44D2-A9E9-64119261F211}RP1/A0000022.dll

ALERT: [TR/Crypt.FKM.Gen] /mnt/sda2/System Volumne <<< Is the trojan horse TR/Crypt.FKM.Gen

/mnt/sda2/WINDOWS/system32/gapiwidll.dll << Is the trojan horse TR/Crypt.FKM.Gen

The same message is displayed for the following dlls..

winerrgapi.dll

apiherrdo.dll

foexetfo.dll

foswinas.dll

petebxlin.dll

pexshelin.dll

jeswinje.dll

evwasduo.dll

lojelolo.dll

cracrapow.dll

ebxggdll.dll

My Docs/WinZip/WinZipProv10Keymaker-ZWT.rar -> keygen.exe <<< Is the Trojan Horse TR/PSW.0.TR.1

My Docs/Tools+Software/securecrt/scrt505-tbe.ext <<< iS THE Trojan horse TR/Agent.40448.W

##################################################

[AdvancedSetup]

Do you share use of this computer with someone else?

[sohnir]

No, I don't share this computer with anybody. However, I keep RDP port open; to remotely access the computer when I'm away. Why do you ask that? Is there any threat or vulnerability to the computer?

As instructed; I've now successfully run the Avira Rescue CD and previously report 23 files were moved.

I'm updating the ComboFix and HJT log below. I'd connected to the network after ComboFix had completed and produced its log. I've not yet removed DaemonTools as in the last update; you mentioned to run Avira Rescue CD for now. Let me know if I need to de-install Daemon Tools.

Here are the logs.

Thanks.

#########################################

ComboFix log

ComboFix 09-02-07.01 - Vipul C. Patel 2009-02-09 19:30:45.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.677 [GMT -5:00]

Running from: c:\documents and settings\Vipul C. Patel\Desktop\ComboFix.exe

FW: McAfee Personal Firewall Plus *enabled*

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))

.

2009-02-07 18:04 . 2009-02-07 18:04 250 --a------ c:\windows\gmer.ini

2009-02-07 12:41 . 2009-02-07 12:44 <DIR> d-------- c:\documents and settings\Vipul C. Patel\DoctorWeb

2009-02-06 09:03 . 2009-02-06 09:03 <DIR> d-------- c:\program files\CCleaner

2009-02-05 22:06 . 2009-02-05 22:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\program files\NOS

2009-02-05 22:03 . 2009-02-05 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\Vipul C. Patel\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-02-05 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-05 08:37 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-05 08:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-02 21:21 . 2009-02-02 21:21 <DIR> d-------- c:\windows\McAfee.com

2009-02-01 15:07 . 2009-02-01 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-01 15:07 . 2009-02-06 09:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-28 01:42 . 2009-01-28 01:42 <DIR> d-------- c:\documents and settings\Vipul C. Patel\EurekaLog

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-08 18:35 --------- d-----w c:\program files\eMule

2008-12-09 13:28 256 ----a-w c:\documents and settings\Vipul C. Patel\pool.bin

2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr

.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.45.37.88 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-02-07 23:04:45 884,736 ----a-w c:\windows\gmer.dll

+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe

+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe

- 2005-07-30 18:32:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-06 03:03:59 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2005-07-30 18:32:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-06 03:03:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-07 23:04:45 85,969 ----a-w c:\windows\system32\drivers\gmer.sys

- 2009-02-06 01:17:59 55,614 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-10 00:30:32 55,614 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-06 01:17:59 388,050 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-10 00:30:32 388,050 ----a-w c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Second Copy 2000"="c:\program files\SecCopy\SecCopy.exe" [2001-09-17 1134080]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-26 98304]

"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

"PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-08-22 1327104]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2004-10-25 184320]

"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-17 245760]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-15 454144]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

"nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\Vipul C. Patel\Start Menu\Programs\Startup\

Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-07-19 221295]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-26 24576]

DSW IPSec Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2005-08-08 1425424]

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD Ghost\ExecuteHooker.dll" [2004-07-27 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2004-11-01 10:50 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg21.dll

"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\oracle\\product\\9.2.0\\Apache\\Apache\\Apache.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5900:TCP"= 5900:TCP:*:Disabled:VNC

"5800:TCP"= 5800:TCP:*:Disabled:vnc2

R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-04-26 180480]

R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-07-26 23296]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-05 33752]

S3 OracleOra920_DB_homeAgent;OracleOra920_DB_homeAgent;c:\oracle\product\9.2.0\bin\agntsrvc.exe [2002-04-26 28944]

S3 OracleOra920_DB_homeClientCache;OracleOra920_DB_homeClientCache;c:\oracle\product\9.2.0\bin\ONRSD.EXE [2002-04-26 242328]

S3 OracleOra920_DB_homeHTTPServer;OracleOra920_DB_homeHTTPServer;c:\oracle\product\9.2.0\Apache\Apache\Apache.exe [2002-04-18 4096]

S3 OracleOra920_DB_homeManagementServer;OracleOra920_DB_homeManagementServer;c:\oracle\product\9.2.0\bin\OMSNTsrv.exe [2002-08-20 53248]

S3 OracleOra920_DB_homePagingServer;OracleOra920_DB_homePagingServer;c:\oracle\product\9.2.0\bin\pagntsrv.exe [2002-08-20 49152]

S3 OracleOra920_DB_homeSNMPPeerEncapsulator;OracleOra920_DB_homeSNMPPeerEncapsulato

r;c:\oracle\product\9.2.0\bin\encsvc.exe [2002-02-13 187392]

S3 OracleOra920_DB_homeSNMPPeerMasterAgent;OracleOra920_DB_homeSNMPPeerMasterAgent;

c:\oracle\product\9.2.0\bin\agntsvc.exe [2002-02-13 254464]

S3 OracleOra920_DB_homeTNSListener;OracleOra920_DB_homeTNSListener;c:\oracle\product\9.2.0\BIN\TNSLSNR --> c:\oracle\product\9.2.0\BIN\TNSLSNR [?]

S3 OracleServiceSAI;OracleServiceSAI;c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI --> c:\oracle\product\9.2.0\bin\ORACLE.EXE SAI [?]

UnknownUnknown dsload;dsload; [x]

.

Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-25 11:08]

2009-02-09 c:\windows\Tasks\McAfee.com Update Check (SHANTI-Vipul C. Patel).job

- c:\progra~1\mcafee.com\agent [2007-02-21 16:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

TCP: {1C94D276-D18B-4E37-B99C-DABDC16D715E} = 68.87.68.162,68.87.74.162

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://linux1.domain:7779/imtapp/res/jar/cnsload.cab

DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://atloradisp01.iss.net:7778/jinitiator/jinit.exe

DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxp://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-09 19:35:46

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homePagingServer]

"ImagePath"="c:\oracle\product\9.2.0/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra920_DB_homeTNSListener]

"ImagePath"="c:\oracle\product\9.2.0\BIN\TNSLSNR "

.

Completion time: 2009-02-09 19:40:20

ComboFix-quarantined-files.txt 2009-02-10 00:39:01

ComboFix2.txt 2009-02-07 17:24:06

ComboFix3.txt 2009-02-06 13:46:48

ComboFix4.txt 2009-02-06 03:46:02

ComboFix5.txt 2009-02-10 00:29:43

Pre-Run: 59,876,585,472 bytes free

Post-Run: 59,880,710,144 bytes free

183 --- E O F --- 2008-06-21 07:00:42

#######################

HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:45:56 PM, on 2/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SecCopy\SecCopy.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Vipul C. Patel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon_6600D\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon_6600D\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://linux1.domain:7779/imtapp/res/jar/cnsload.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.06/uploader2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173584011437

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -

O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://atloradisp01.iss.net:7778/jinitiator/jinit.exe

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - http://oracle2.lifedata.ldl:8010/jinitiator/oajinit.exe

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...514/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleOra920_DB_homeAgent - Oracle Corporation - C:\oracle\product\9.2.0\bin\agntsrvc.exe

O23 - Service: OracleOra920_DB_homeClientCache - Unknown owner - C:\oracle\product\9.2.0\BIN\ONRSD.EXE

O23 - Service: OracleOra920_DB_homeHTTPServer - Unknown owner - C:\oracle\product\9.2.0\Apache\Apache\apache.exe

O23 - Service: OracleOra920_DB_homeManagementServer - Unknown owner - C:\oracle\product\9.2.0\bin\OMSNTsrv.exe

O23 - Service: OracleOra920_DB_homePagingServer - Unknown owner - C:\oracle\product\9.2.0/bin/pagntsrv.exe

O23 - Service: OracleOra920_DB_homeSNMPPeerEncapsulator - Unknown owner - C:\oracle\product\9.2.0\BIN\ENCSVC.EXE

O23 - Service: OracleOra920_DB_homeSNMPPeerMasterAgent - Unknown owner - C:\oracle\product\9.2.0\BIN\AGNTSVC.EXE

O23 - Service: OracleOra920_DB_homeTNSListener - Unknown owner - C:\oracle\product\9.2.0\BIN\TNSLSNR.exe

O23 - Service: OracleServiceSAI - Oracle Corporation - c:\oracle\product\9.2.0\bin\ORACLE.EXE

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--

End of file - 14421 bytes

#####################

[AdvancedSetup]

My Docs/WinZip/WinZipProv10Keymaker-ZWT.rar -> keygen.exe

Well I'm sorry but since you have evidence of cracked or pirated software you're using on the system I have no choice but to close this thread now.

If you feel this is inaccurate information please send any Moderator a private message explaining in detail and they will review your information in private.

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

I can no longer assist you due to board policy, but you should probably be in good shape now.

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.

• Go to http://java.sun.com/javase/downloads/index.jsp
• Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
  
• In Platform box choose Windows.
  
• Check the box to Accept License Agreement and click Continue.
  
• Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
  
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  
• Uncheck the Toolbar button (unless you want the toolbar)
  
• Reboot your computer