Jump to content

cannot run malywarebytes (spyware2009 proble)


Recommended Posts

To whom it may concern. My computer recently just got infected with the Spyware2009 program. I installed Malywarebytes onto my flash drive, but everytime I try to launch, nothing happens. below is my log. please let me know what i can do next. thank you!!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:09:17 AM, on 3/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SafeBoot\SbClientManager.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE

C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\sysguard.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\svcho.exe

C:\WINDOWS\system32\taskmgr.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

E:\PortableApps\PortableApps\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061125

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061125

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"

O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R220"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sBEVMON.EXE] C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE -WinLogon

O4 - HKLM\..\Run: [safeBootTrayManager] "C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"

O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /M "Stylus Photo R220" /EF "HKCU"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\DOCUME~1\GIFTED\LOCALS~1\Temp\E_S37.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/Ligh...loadControl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165103620734

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} (MPEX Control) - https://plaympe.com/activex/PlayMPEX.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://gaoportal1.gao.gov/dana-cached/setu...perSetupSP1.cab

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.4.cab

O18 - Filter hijack: text/html - {cfe185ef-b58c-442f-96f5-38a3b9739201} - C:\WINDOWS\system32\mst122.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

O23 - Service: SafeBoot Client Manager (SafeBootClientManager) - SafeBoot International - C:\Program Files\SafeBoot\SbClientManager.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--

End of file - 14592 bytes

Link to post
Share on other sites

  • Root Admin

Please copy this to your system and run it. Rename it if you have to, or try in Safe Mode if you have to.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

here's the combo box log:

ComboFix 09-03-04.01 - GIFTED 2009-03-05 7:39:16.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1514 [GMT -5:00]

Running from: c:\documents and settings\GIFTED\Desktop\bandy.exe

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)

FW: PC-cillin Internet Security - Firewall *enabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\program files\Common\helper.dll

c:\program files\Common\helper.sig

c:\program files\ISM

c:\windows\IE4 Error Log.txt

c:\windows\sysguard.exe

c:\windows\system32\a.exe

c:\windows\system32\drivers\seneka.sys

c:\windows\system32\drivers\senekautxbxwdc.sys

c:\windows\system32\drivers\UACnebsoqju.sys

c:\windows\system32\iehelper.dll

c:\windows\system32\senekaksunebdd.dll

c:\windows\system32\senekaniraronu.dat

c:\windows\system32\tdssservers.dat

c:\windows\system32\UACachsdvpj.dll

c:\windows\system32\UAChbqkcxvj.dat

c:\windows\system32\UAChrjaldds.log

c:\windows\system32\UACmkxxnweu.log

c:\windows\system32\UACmmaudeiy.dll

c:\windows\system32\UACoqihcmft.dll

c:\windows\system32\UACqmyiqdls.dll

c:\windows\system32\UACuwilrnno.log

c:\windows\system32\x64

c:\windows\Tasks\naqblqns.job

----- BITS: Possible infected sites -----

hxxp://vestepau.cn

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))

.

2009-03-04 08:32 . 2009-03-04 23:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-04 07:49 . 2009-03-04 07:49 16,896 --a------ c:\windows\syssvc.exe

2009-03-04 07:49 . 2009-03-04 07:49 16,896 --a------ c:\windows\svcho.exe

2009-03-03 20:02 . 2009-03-03 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-03 20:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-03 20:02 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-03 10:01 . 2009-03-03 10:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-03-03 10:01 . 2009-03-03 10:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-03 09:31 . 2009-03-03 09:31 <DIR> d-------- c:\documents and settings\test345\Application Data\Logitech

2009-03-03 09:30 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test345\Application Data\Juniper Networks

2009-03-03 09:30 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test345\Application Data\Gtek

2009-03-03 09:30 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test345\Application Data\Creative

2009-03-03 09:30 . 2009-03-03 09:30 <DIR> d-------- c:\documents and settings\test345

2009-03-03 09:09 . 2009-03-03 09:09 <DIR> d-------- c:\documents and settings\test123\Application Data\Logitech

2009-03-03 09:07 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test123\Application Data\Juniper Networks

2009-03-03 09:07 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test123\Application Data\Gtek

2009-03-03 09:07 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test123\Application Data\Creative

2009-03-03 09:07 . 2009-03-03 09:07 <DIR> d-------- c:\documents and settings\test123

2009-03-03 08:00 . 2009-03-03 08:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks

2009-03-03 07:46 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\stu2.exe

2009-03-03 07:46 . 2009-03-05 07:23 5,510 --a------ c:\windows\system32\uacinit.dll

2009-02-11 03:10 . 2009-02-11 03:10 8 --a------ c:\windows\system32\nvModes.dat

2009-02-11 03:09 . 2009-02-11 03:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-02-10 07:22 . 2009-03-05 07:39 <DIR> d-------- c:\program files\Common

2009-02-07 15:55 . 2009-02-07 15:56 9,662 --a------ c:\windows\EPISME00.SWB

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-03 13:20 --------- d-----w c:\program files\Viewpoint

2009-03-03 13:15 --------- d-----w c:\program files\Dell

2009-03-03 13:15 --------- d-----w c:\program files\Common Files\AOL

2009-03-03 13:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-03-03 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-03-03 13:12 --------- d-----w c:\program files\GemMaster

2009-03-03 05:08 --------- d-----w c:\program files\World of Warcraft

2009-03-02 12:43 --------- d-----w c:\documents and settings\GIFTED\Application Data\Juniper Networks

2009-03-02 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks

2009-02-28 01:22 --------- d-----w c:\documents and settings\GIFTED\Application Data\Move Networks

2009-02-20 12:49 --------- d-----w c:\program files\EPSON Print CD

2009-02-11 08:09 --------- d-----w c:\program files\Google

2009-01-15 08:39 90,112 ----a-w c:\windows\DUMP64b5.tmp

2007-11-28 19:12 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2007-11-28 19:12 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2007-11-28 19:12 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2007-11-28 19:12 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2007-11-28 19:12 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

------- Sigcheck -------

2004-08-10 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe

2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe

2009-03-03 07:46 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]

"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]

"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"SBEVMON.EXE"="c:\progra~1\SafeBoot\vdisk\SBEVMON.EXE" [2007-10-26 176128]

"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-25 13570048]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-25 86016]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]

"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]

"CTHelper"="CTHELPER.EXE" [2005-11-08 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-01 c:\windows\system32\CTXFIHLP.EXE]

"nwiz"="nwiz.exe" [2008-07-25 c:\windows\system32\nwiz.exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]

"svcho"="c:\windows\svcho.exe" [2009-03-04 16896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-30 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-03 688128]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ SbNp5 scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=

"c:\\Documents and Settings\\GIFTED\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\svcho.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-02-22 101647]

R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-07-16 44720]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-05 44752]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-02-22 6272]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-02-22 5840]

R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-02-22 34000]

R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-02-22 14960]

R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2008-02-22 356352]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~2\Tmntsrv.exe [2006-09-18 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2006-08-29 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-09-11 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~2\tmproxy.exe [2006-08-29 566872]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-08-29 280392]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\c:\windows\TEMP\11E.tmp --> c:\windows\TEMP\11E.tmp [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13008daa-54bf-11dd-ae7c-001676b7ead6}]

\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

.

- - - - ORPHANS REMOVED - - - -

BHO-{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - c:\program files\Common\helper.dll

BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll

HKCU-Run-system tool - c:\windows\sysguard.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

LSP: c:\program files\Neoteris\Secure Application Manager\gapsp.dll

DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab

FF - ProfilePath - c:\documents and settings\GIFTED\Application Data\Mozilla\Firefox\Profiles\n0a54z4x.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-05 07:48:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

"ImagePath"="\??\c:\windows\TEMP\11E.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

here is the hijack log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:00:38 AM, on 3/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SafeBoot\SbClientManager.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE

C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\WINDOWS\svcho.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\internet explorer\iexplore.exe

E:\PortableApps\PortableApps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061125

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"

O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R220"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sBEVMON.EXE] C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE -WinLogon

O4 - HKLM\..\Run: [safeBootTrayManager] "C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"

O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /M "Stylus Photo R220" /EF "HKCU"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/Ligh...loadControl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165103620734

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} (MPEX Control) - https://plaympe.com/activex/PlayMPEX.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://gaoportal1.gao.gov/dana-cached/setu...perSetupSP1.cab

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.4.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

O23 - Service: SafeBoot Client Manager (SafeBootClientManager) - SafeBoot International - C:\Program Files\SafeBoot\SbClientManager.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--

End of file - 13278 bytes

Link to post
Share on other sites

I was able to run malyware bytes. Below is my log. As it was doing the scan, Trend Micro detected a trojan called TROJ FAKEALER.TV inside C:\Windows\svcho.exe and C:\Windows\syssvc.exe. It was able to quarantine the syssvc.exe file, but could not take care of svcho.exe.

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 5.1.2600 Service Pack 3

3/5/2009 8:07:17 AM

mbam-log-2009-03-05 (08-07-17).txt

Scan type: Quick Scan

Objects scanned: 78007

Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{def85c80-216a-43ab-af70-1665edbe2780} (Spyware.Sinowal) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Root Admin

STEP 01

Please disable Spybot TEA TIMER. DO NOT continue until Tea Timer is disabled.

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

STEP 02

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::

{DEF85C80-216A-43ab-AF70-1665EDBE2780}

File::

c:\windows\TEMP\11E.tmp

c:\windows\syssvc.exe

c:\windows\svcho.exe

c:\windows\system32\stu2.exe

c:\windows\system32\uacinit.dll

c:\windows\system32\nvModes.dat

c:\windows\EPISME00.SWB

c:\windows\DUMP64b5.tmp

Registry::

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]

"svcho"=-

[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

RegLock::

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

ComboFix 09-03-04.01 - GIFTED 2009-03-06 20:36:55.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1403 [GMT -5:00]

Running from: c:\documents and settings\GIFTED\Desktop\bip.exe

Command switches used :: c:\documents and settings\GIFTED\Desktop\CFscript.txt

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)

FW: PC-cillin Internet Security - Firewall *enabled*

* Created a new restore point

FILE ::

c:\windows\DUMP64b5.tmp

c:\windows\EPISME00.SWB

c:\windows\svcho.exe

c:\windows\syssvc.exe

c:\windows\system32\nvModes.dat

c:\windows\system32\stu2.exe

c:\windows\system32\uacinit.dll

c:\windows\TEMP\11E.tmp

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\uacinit.dll

.

((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))

.

2009-03-05 08:24 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvuninst.exe

2009-03-05 08:24 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvudisp.exe

2009-03-05 08:24 . 2009-03-06 19:56 200,712 --a------ c:\windows\system32\nvapps.xml

2009-03-05 08:24 . 2008-09-17 23:55 18,394 --a------ c:\windows\system32\nvdisp.nvu

2009-03-05 08:02 . 2009-03-05 08:02 <DIR> d-------- c:\documents and settings\GIFTED\Application Data\Malwarebytes

2009-03-04 08:32 . 2009-03-04 23:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-03 20:02 . 2009-03-03 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-03 20:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-03 20:02 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-03 10:01 . 2009-03-03 10:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-03-03 10:01 . 2009-03-06 08:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-03 09:31 . 2009-03-03 09:31 <DIR> d-------- c:\documents and settings\test345\Application Data\Logitech

2009-03-03 09:30 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test345\Application Data\Juniper Networks

2009-03-03 09:30 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test345\Application Data\Gtek

2009-03-03 09:30 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test345\Application Data\Creative

2009-03-03 09:30 . 2009-03-03 09:30 <DIR> d-------- c:\documents and settings\test345

2009-03-03 09:09 . 2009-03-03 09:09 <DIR> d-------- c:\documents and settings\test123\Application Data\Logitech

2009-03-03 09:07 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test123\Application Data\Juniper Networks

2009-03-03 09:07 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test123\Application Data\Gtek

2009-03-03 09:07 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test123\Application Data\Creative

2009-03-03 09:07 . 2009-03-03 09:07 <DIR> d-------- c:\documents and settings\test123

2009-03-03 08:00 . 2009-03-03 08:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks

2009-02-11 03:09 . 2009-02-11 03:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-02-10 07:22 . 2009-03-05 07:39 <DIR> d-------- c:\program files\Common

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-03 13:20 --------- d-----w c:\program files\Viewpoint

2009-03-03 13:15 --------- d-----w c:\program files\Dell

2009-03-03 13:15 --------- d-----w c:\program files\Common Files\AOL

2009-03-03 13:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-03-03 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-03-03 13:12 --------- d-----w c:\program files\GemMaster

2009-03-03 05:08 --------- d-----w c:\program files\World of Warcraft

2009-03-02 12:43 --------- d-----w c:\documents and settings\GIFTED\Application Data\Juniper Networks

2009-03-02 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks

2009-02-28 01:22 --------- d-----w c:\documents and settings\GIFTED\Application Data\Move Networks

2009-02-20 12:49 --------- d-----w c:\program files\EPSON Print CD

2009-02-11 08:09 --------- d-----w c:\program files\Google

2007-11-28 19:12 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2007-11-28 19:12 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2007-11-28 19:12 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2007-11-28 19:12 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2007-11-28 19:12 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

------- Sigcheck -------

2004-08-10 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe

2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe

2009-03-03 07:46 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((( SnapShot_2009-03-06_20.31.29.35 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-03-07 01:40:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-03-07 01:40:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-07 01:40:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]

"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"system tool"="c:\windows\sysguard.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]

"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"SBEVMON.EXE"="c:\progra~1\SafeBoot\vdisk\SBEVMON.EXE" [2007-10-26 176128]

"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]

"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"CTHelper"="CTHELPER.EXE" [2005-11-08 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-01 c:\windows\system32\CTXFIHLP.EXE]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-30 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-03 688128]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ SbNp5 scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=

"c:\\Documents and Settings\\GIFTED\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-02-22 101647]

R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-07-16 44720]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-05 44752]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-02-22 6272]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-02-22 5840]

R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-02-22 34000]

R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-02-22 14960]

R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2008-02-22 356352]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~2\Tmntsrv.exe [2006-09-18 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2006-08-29 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-09-11 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~2\tmproxy.exe [2006-08-29 566872]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-08-29 280392]

S0 rpgr;rpgr;c:\windows\system32\drivers\jkfrnexd.sys --> c:\windows\system32\drivers\jkfrnexd.sys [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13008daa-54bf-11dd-ae7c-001676b7ead6}]

\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

LSP: c:\program files\Neoteris\Secure Application Manager\gapsp.dll

DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab

FF - ProfilePath - c:\documents and settings\GIFTED\Application Data\Mozilla\Firefox\Profiles\n0a54z4x.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-06 20:42:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.34

Database version: 1825

Windows 5.1.2600 Service Pack 3

3/6/2009 9:01:37 PM

mbam-log-2009-03-06 (21-01-37).txt

Scan type: Quick Scan

Objects scanned: 80302

Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{cfe185ef-b58c-442f-96f5-38a3b9739201} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\mst122.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

DDS (Ver_09-02-01.01) - NTFSx86

Run by GIFTED at 21:04:12.31 on Fri 03/06/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1319 [GMT -5:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)

FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SafeBoot\SbClientManager.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

"C:\WINDOWS\system32\svchost.exe"

C:\WINDOWS\system32\dllhost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE

C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\GIFTED\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: NoExplorer - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"

uRun: [EPSON Stylus Photo R220 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /M "Stylus Photo R220" /EF "HKCU"

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"

mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r

mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"

mRun: [EPSON Stylus Photo R220 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R220"

mRun: [WinampAgent] c:\program files\winamp\winampa.exe

mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sBEVMON.EXE] c:\progra~1\safeboot\vdisk\SBEVMON.EXE -WinLogon

mRun: [safeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\program files\neoteris\secure application manager\gapsp.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} - hxxp://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165103620734

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://gaoportal1.gao.gov/dana-cached/setup/JuniperSetupSP1.cab

DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.4.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

LSA: Notification Packages = SbNp5 scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gifted\applic~1\mozilla\firefox\profiles\n0a54z4x.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-2-22 101647]

R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-7-16 44720]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-5 44752]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-2-22 6272]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-2-22 5840]

R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-2-22 34000]

R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-2-22 14960]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2008-2-22 356352]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~2\Tmntsrv.exe [2006-9-18 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2006-8-29 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-11 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~2\tmproxy.exe [2006-8-29 566872]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-29 280392]

S0 rpgr;rpgr;c:\windows\system32\drivers\jkfrnexd.sys --> c:\windows\system32\drivers\jkfrnexd.sys [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-03-06 20:36 <DIR> --d----- C:\bip

2009-03-05 08:24 200,712 a------- c:\windows\system32\nvapps.xml

2009-03-05 08:24 453,152 a------- c:\windows\system32\nvuninst.exe

2009-03-05 08:24 453,152 a------- c:\windows\system32\nvudisp.exe

2009-03-05 08:24 18,394 a------- c:\windows\system32\nvdisp.nvu

2009-03-05 08:02 <DIR> --d----- c:\docume~1\gifted\applic~1\Malwarebytes

2009-03-05 07:30 <DIR> a-dshr-- C:\cmdcons

2009-03-05 07:28 161,792 a------- c:\windows\SWREG.exe

2009-03-05 07:28 98,816 a------- c:\windows\sed.exe

2009-03-04 08:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-03-03 20:02 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-03-03 20:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-03 20:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-03-03 10:01 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-03-03 10:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-02-10 07:22 <DIR> --d----- c:\program files\Common

==================== Find3M ====================

2009-03-03 07:46 17,920 a------- c:\windows\system32\userinit.exe

2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll

2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe

2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe

2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 21:04:25.51 ===============

Link to post
Share on other sites

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 12/2/2006 6:28:06 PM

System Uptime: 3/6/2009 8:40:11 PM (1 hours ago)

Motherboard: Dell Inc. | | 0WG864

Processor: Intel® Core2 CPU 6400 @ 2.13GHz | Microprocessor | 2128/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 78.867 GiB free.

D: is CDROM ()

E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP755: 12/6/2008 8:13:36 PM - System Checkpoint

RP756: 12/7/2008 10:21:33 PM - System Checkpoint

RP757: 12/9/2008 1:19:23 AM - System Checkpoint

RP758: 12/10/2008 1:51:41 AM - System Checkpoint

RP759: 12/11/2008 12:09:58 AM - Restore Operation

RP760: 12/12/2008 2:05:50 AM - System Checkpoint

RP761: 12/13/2008 2:27:47 AM - System Checkpoint

RP762: 12/13/2008 3:00:14 AM - Software Distribution Service 3.0

RP763: 12/14/2008 3:12:36 AM - System Checkpoint

RP764: 12/15/2008 4:12:37 AM - System Checkpoint

RP765: 12/16/2008 5:12:42 AM - System Checkpoint

RP766: 12/17/2008 5:24:38 AM - System Checkpoint

RP767: 12/18/2008 3:00:16 AM - Software Distribution Service 3.0

RP768: 12/19/2008 3:04:19 AM - System Checkpoint

RP769: 12/20/2008 3:13:23 AM - System Checkpoint

RP770: 12/21/2008 4:13:26 AM - System Checkpoint

RP771: 12/21/2008 5:22:52 PM - Removed Scratch LIVE 1.8.1 (18120)

RP772: 12/21/2008 5:23:11 PM - Installed Scratch LIVE 1.8.2 (18221)

RP773: 12/22/2008 5:25:25 PM - System Checkpoint

RP774: 12/23/2008 6:13:26 PM - System Checkpoint

RP775: 12/24/2008 7:13:24 PM - System Checkpoint

RP776: 12/25/2008 7:25:28 PM - System Checkpoint

RP777: 12/26/2008 8:25:29 PM - System Checkpoint

RP778: 12/27/2008 11:07:02 PM - System Checkpoint

RP779: 12/29/2008 1:24:00 AM - System Checkpoint

RP780: 12/30/2008 1:25:34 AM - System Checkpoint

RP781: 12/31/2008 2:13:33 AM - System Checkpoint

RP782: 1/1/2009 2:25:33 AM - System Checkpoint

RP783: 1/2/2009 3:25:38 AM - System Checkpoint

RP784: 1/3/2009 4:13:40 AM - System Checkpoint

RP785: 1/3/2009 7:23:35 PM - Installed Windows XP Wdf01005.

RP786: 1/5/2009 1:18:00 AM - System Checkpoint

RP787: 1/6/2009 1:30:13 AM - System Checkpoint

RP788: 1/7/2009 2:30:11 AM - System Checkpoint

RP789: 1/8/2009 2:42:13 AM - System Checkpoint

RP790: 1/9/2009 3:42:14 AM - System Checkpoint

RP791: 1/10/2009 4:30:15 AM - System Checkpoint

RP792: 1/11/2009 5:30:16 AM - System Checkpoint

RP793: 1/12/2009 6:30:17 AM - System Checkpoint

RP794: 1/13/2009 7:30:19 AM - System Checkpoint

RP795: 1/14/2009 8:55:26 AM - System Checkpoint

RP796: 1/15/2009 3:00:14 AM - Software Distribution Service 3.0

RP797: 1/16/2009 3:47:37 AM - System Checkpoint

RP798: 1/17/2009 4:47:39 AM - System Checkpoint

RP799: 1/18/2009 5:47:38 AM - System Checkpoint

RP800: 1/19/2009 6:47:40 AM - System Checkpoint

RP801: 1/20/2009 7:47:43 AM - System Checkpoint

RP802: 1/21/2009 7:59:44 AM - System Checkpoint

RP803: 1/22/2009 8:52:56 AM - System Checkpoint

RP804: 1/23/2009 9:48:50 AM - System Checkpoint

RP805: 1/24/2009 12:06:37 PM - System Checkpoint

RP806: 1/25/2009 4:39:33 PM - System Checkpoint

RP807: 1/26/2009 4:59:31 PM - System Checkpoint

RP808: 1/27/2009 5:47:50 PM - System Checkpoint

RP809: 1/28/2009 6:47:50 PM - System Checkpoint

RP810: 1/29/2009 6:59:52 PM - System Checkpoint

RP811: 1/30/2009 7:47:53 PM - System Checkpoint

RP812: 1/31/2009 8:47:54 PM - System Checkpoint

RP813: 2/1/2009 8:59:56 PM - System Checkpoint

RP814: 2/2/2009 11:50:52 PM - System Checkpoint

RP815: 2/3/2009 11:59:59 PM - System Checkpoint

RP816: 2/5/2009 1:18:33 AM - System Checkpoint

RP817: 2/6/2009 1:49:54 AM - System Checkpoint

RP818: 2/7/2009 2:00:06 AM - System Checkpoint

RP819: 2/8/2009 2:48:08 AM - System Checkpoint

RP820: 2/9/2009 3:50:48 AM - System Checkpoint

RP821: 2/10/2009 4:48:08 AM - System Checkpoint

RP822: 2/11/2009 3:00:14 AM - Software Distribution Service 3.0

RP823: 2/12/2009 3:13:27 AM - System Checkpoint

RP824: 2/13/2009 4:13:27 AM - System Checkpoint

RP825: 2/14/2009 5:13:28 AM - System Checkpoint

RP826: 2/15/2009 6:13:29 AM - System Checkpoint

RP827: 2/16/2009 7:44:11 AM - System Checkpoint

RP828: 2/17/2009 8:33:53 AM - System Checkpoint

RP829: 2/18/2009 8:57:03 AM - System Checkpoint

RP830: 2/19/2009 9:02:25 AM - System Checkpoint

RP831: 2/20/2009 9:25:34 AM - System Checkpoint

RP832: 2/21/2009 9:26:12 AM - System Checkpoint

RP833: 2/22/2009 11:06:52 AM - System Checkpoint

RP834: 2/22/2009 4:35:13 PM - Restore Operation

RP835: 2/23/2009 4:53:39 PM - System Checkpoint

RP836: 2/24/2009 4:56:51 PM - System Checkpoint

RP837: 2/25/2009 3:00:12 AM - Software Distribution Service 3.0

RP838: 2/25/2009 8:34:19 AM - Restore Operation

RP839: 2/26/2009 3:00:18 AM - Software Distribution Service 3.0

RP840: 2/27/2009 3:00:16 AM - Software Distribution Service 3.0

RP841: 2/28/2009 3:10:55 AM - System Checkpoint

RP842: 3/1/2009 4:10:54 AM - System Checkpoint

RP843: 3/2/2009 5:10:59 AM - System Checkpoint

RP844: 3/2/2009 7:09:51 AM - Removed Bonjour

RP845: 3/2/2009 7:10:36 AM - Removed NetZeroInstallers

RP846: 3/3/2009 7:10:59 AM - System Checkpoint

RP847: 3/3/2009 8:11:19 AM - Removed Documentation & Support Launcher

RP848: 3/3/2009 8:11:56 AM - Removed Games, Music, & Photos Launcher

RP849: 3/3/2009 8:15:56 AM - Removed Digital Content Portal

RP850: 3/5/2009 9:50:47 AM - System Checkpoint

RP851: 3/6/2009 3:00:13 AM - Software Distribution Service 3.0

RP852: 3/6/2009 9:04:35 AM - ComboFix created restore point

RP853: 3/6/2009 8:36:43 PM - ComboFix created restore point

==== Installed Programs ======================

Adobe Audition 1.0

Adobe Audition 2.0

Adobe Flash Player 10 ActiveX

Adobe Photoshop 7.0

Adobe Reader 7.0.8

Apple Mobile Device Support

Apple Software Update

CDDRV_Installer

Creative MediaSource

Dell CinePlayer

Dell Driver Reset Tool

Dell Support 3.2.1

Dell System Restore

EducateU

EPSON ESPR220 Reference Guide

EPSON Print CD

EPSON Printer Software

ESPNMotion

FlashFXP v3

getPlus®_ocx

Google Toolbar for Internet Explorer

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows XP (KB952287)

IL Download Manager

Intel® Graphics Media Accelerator Driver

Intel® Matrix Storage Manager

Intel® PRO Network Connections

iTunes

J2SE Runtime Environment 5.0 Update 6

Juniper Networks Host Checker

Juniper Terminal Services Client

KhalSetup

LimeWire 4.16.6

Logitech Communications Manager

Logitech SetPoint

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft ActiveSync

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Professional

Microsoft Plus! Digital Media Edition Installer

Microsoft Plus! Photo Story 2 LE

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

Mogul User Guide

Move Networks Media Player for Internet Explorer

Mozilla Firefox (2.0.0.11)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

NVIDIA Drivers

NVIDIA PhysX v8.07.18

Play MPE Player

QuickTime

RealPlayer

Roxio DLA

Roxio MyDVD LE

Roxio RecordNow Audio

Roxio RecordNow Copy

Roxio RecordNow Data

Scratch LIVE 1.8.2 (18221)

Secure Application Manager

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB960715)

SHOUTcast Source DSP 1.9.0 (remove only)

Sonic Activation Module

Sonic Advanced Decoder

Sonic Encoders

Sonic Update Manager

Sound Blaster X-Fi

Spybot - Search & Destroy

Trend Micro PC-cillin Internet Security 14

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update Rollup 2 for Windows XP Media Center Edition 2005

Ventrilo Client

Warcraft III: All Products

WebFldrs XP

Winamp (remove only)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Format Runtime

Windows Media Player 10

Windows Media Player 10 Hotfix - KB894476

Windows Media Player 10 Hotfix [see EmeraldQFE2 for more information]

Windows XP Media Center Edition 2005 KB908246

Windows XP Media Center Edition 2005 KB912067

Windows XP Service Pack 3

WinRAR archiver

World of Warcraft

Xone Mixed In Key 3

Yahoo! Browser Services

Yahoo! Install Manager

Yahoo! Internet Mail

Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

3/3/2009 7:53:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/3/2009 7:50:16 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the path specified.

3/3/2009 7:30:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

3/3/2009 10:31:59 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss RsvLock SbPrcCtl Tcpip tmtdi WS2IFSL

3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 10:31:45 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.

3/3/2009 10:13:45 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume5'. It has stopped monitoring the volume.

3/3/2009 9:58:44 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm RsvLock SbPrcCtl tmtdi

3/3/2009 9:42:48 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)

3/3/2009 9:34:35 AM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 1 time(s).

3/3/2009 9:33:47 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

3/3/2009 8:27:00 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

3/3/2009 8:09:01 AM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/3/2009 8:09:01 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.

3/3/2009 8:00:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

3/3/2009 8:00:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

3/3/2009 8:03:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

3/5/2009 7:22:11 AM, error: Dhcp [1002] - The IP address lease 98.233.23.210 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

3/5/2009 7:38:48 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

3/5/2009 8:15:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

3/5/2009 8:18:43 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

3/5/2009 8:22:07 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 8060c56e, parameter3 b9ce35b0, parameter4 00000000.

3/6/2009 7:36:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)

3/6/2009 8:06:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The SafeBoot Client Manager service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Personal Firewall service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Intel® Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Real-time Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Central Control Component service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Link to post
Share on other sites

  • Root Admin

Please uninstall the following programs that have old exploited code.

Adobe Reader 7.0.8

J2SE Runtime Environment 5.0 Update 6

Please uninstall this P2P prorgram and any others you may be running if you want us to continue to help you remove this Malware.

Using P2P software is often how users become infected in the first place and it's counter productive to keep fighting it.

LimeWire 4.16.6

File sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology. However, P2P applications introduce security risks that may put your information or your computer in jeopardy. Risks of File-Sharing Technology

These file dates and times don't look correct. These files are very old and should probably have had updates by now.

They may be perfectly legit, but just seem odd due to age fo the files.

2007-11-28 19:12 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2007-11-28 19:12 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2007-11-28 19:12 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2007-11-28 19:12 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2007-11-28 19:12 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

Link to post
Share on other sites

Ok, I un-installed adobe, limeware, and java. I've noticed two strange things when I boot up. When I first start up, I just get my desktop background. I can pull up task manager and manually start up explorer.exe. After explorer loads, my desktop loads up fine. Then a Common Folder opens (C:\Programs\Common).

Any suggestions?

Link to post
Share on other sites

Okay the Comon Folder coming up is gone, but I still had to manually start up explorer.exe. Here's my log:

ComboFix 09-03-06.02 - GIFTED 2009-03-07 8:34:36.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1286 [GMT -5:00]

Running from: c:\documents and settings\GIFTED\Desktop\ComboFix.exe

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)

FW: PC-cillin Internet Security - Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://vestepau.cn

.

((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))

.

2009-03-06 22:32 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvuninst.exe

2009-03-06 22:32 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvudisp.exe

2009-03-06 22:32 . 2009-03-06 22:32 200,712 --a------ c:\windows\system32\nvapps.xml

2009-03-06 22:32 . 2008-09-17 23:55 18,394 --a------ c:\windows\system32\nvdisp.nvu

2009-03-06 20:36 . 2009-03-06 20:51 <DIR> d-------- C:\bip

2009-03-05 08:02 . 2009-03-05 08:02 <DIR> d-------- c:\documents and settings\GIFTED\Application Data\Malwarebytes

2009-03-04 08:32 . 2009-03-04 23:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-03 20:02 . 2009-03-03 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-03 20:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-03 20:02 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-03 10:01 . 2009-03-03 10:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-03-03 10:01 . 2009-03-06 08:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-03 09:31 . 2009-03-03 09:31 <DIR> d-------- c:\documents and settings\test345\Application Data\Logitech

2009-03-03 09:30 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test345\Application Data\Juniper Networks

2009-03-03 09:30 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test345\Application Data\Gtek

2009-03-03 09:30 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test345\Application Data\Creative

2009-03-03 09:30 . 2009-03-03 09:30 <DIR> d-------- c:\documents and settings\test345

2009-03-03 09:09 . 2009-03-03 09:09 <DIR> d-------- c:\documents and settings\test123\Application Data\Logitech

2009-03-03 09:07 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test123\Application Data\Juniper Networks

2009-03-03 09:07 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test123\Application Data\Gtek

2009-03-03 09:07 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test123\Application Data\Creative

2009-03-03 09:07 . 2009-03-03 09:07 <DIR> d-------- c:\documents and settings\test123

2009-03-03 08:00 . 2009-03-03 08:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks

2009-02-11 03:09 . 2009-02-11 03:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-02-10 07:22 . 2009-03-05 07:39 <DIR> d-------- c:\program files\Common

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-07 03:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-03-03 13:20 --------- d-----w c:\program files\Viewpoint

2009-03-03 13:15 --------- d-----w c:\program files\Dell

2009-03-03 13:15 --------- d-----w c:\program files\Common Files\AOL

2009-03-03 13:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-03-03 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-03-03 13:12 --------- d-----w c:\program files\GemMaster

2009-03-03 05:08 --------- d-----w c:\program files\World of Warcraft

2009-03-02 12:43 --------- d-----w c:\documents and settings\GIFTED\Application Data\Juniper Networks

2009-03-02 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks

2009-02-28 01:22 --------- d-----w c:\documents and settings\GIFTED\Application Data\Move Networks

2009-02-20 12:49 --------- d-----w c:\program files\EPSON Print CD

2009-02-11 08:09 --------- d-----w c:\program files\Google

.

------- Sigcheck -------

2004-08-10 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe

2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe

2009-03-03 07:46 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((( SnapShot_2009-03-06_20.31.29.35 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-03-07 13:40:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-03-07 13:40:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-07 13:40:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]

"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]

"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"SBEVMON.EXE"="c:\progra~1\SafeBoot\vdisk\SBEVMON.EXE" [2007-10-26 176128]

"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]

"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"CTHelper"="CTHELPER.EXE" [2005-11-08 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-01 c:\windows\system32\CTXFIHLP.EXE]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-30 113664]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-03 688128]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ SbNp5 scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=

"c:\\Documents and Settings\\GIFTED\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-02-22 101647]

R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-07-16 44720]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-05 44752]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-02-22 6272]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-02-22 5840]

R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-02-22 34000]

R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-02-22 14960]

R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2008-02-22 356352]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~2\Tmntsrv.exe [2006-09-18 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2006-08-29 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-09-11 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~2\tmproxy.exe [2006-08-29 566872]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-08-29 280392]

S0 rpgr;rpgr;c:\windows\system32\drivers\jkfrnexd.sys --> c:\windows\system32\drivers\jkfrnexd.sys [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13008daa-54bf-11dd-ae7c-001676b7ead6}]

\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

LSP: c:\program files\Neoteris\Secure Application Manager\gapsp.dll

DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-07 08:50:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

  • Root Admin

STEP 01

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 03

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.

STEP 04

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/03/08 10:40

Program Version: Version 1.2.3.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Drivers

-------------------

Name: catchme.sys

Image Path: C:\ComboFix\catchme.sys

Address: 0xBA490000 Size: 30592 File Visible: No

Status: -

Name: Combo-Fix.sys

Image Path: Combo-Fix.sys

Address: 0xBA128000 Size: 60416 File Visible: No

Status: -

Name: dump_iaStor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys

Address: 0xA4A33000 Size: 749568 File Visible: No

Status: -

Name: PROCEXP90.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS

Address: 0xBA5F6000 Size: 6464 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xBA238000 Size: 45056 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: Volume C:\

Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 10

Status: Sector mismatch

Path: Volume C:\, Sector 11

Status: Sector mismatch

Path: Volume C:\, Sector 32

Status: Sector mismatch

Path: Volume C:\, Sector 57

Status: Sector mismatch

Path: Volume C:\, Sector 60

Status: Sector mismatch

Path: Volume C:\, Sector 61

Status: Sector mismatch

Path: Volume C:\, Sector 62

Status: Sector mismatch

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\GIFTED\Desktop\MUSIC DOWNLOADS\david_20banner_20ft[1]._20busta_20rhymes_20-_20i_20dont_20give_20a_20censored_20-_20buckmarleyxxx.blogspot.

Status: Locked to the Windows API!

Path: C:\Documents and Settings\GIFTED\Desktop\MUSIC DOWNLOADS\David_Banner-_Stand_Up__Ft._Dem_Hood_Starz.mp3:Zone.Identifier

Status: Invisible to the Windows API!

SSDT

-------------------

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\Drivers\SbPrcCtl.SYS" at address 0xa764e9b1

Stealth Objects

-------------------

Object: Hidden Code [ETHREAD: 0x878d1da8]

Process: System Address: 0x87cfb260 Size: -

Object: Hidden Code [ETHREAD: 0x8757eda8]

Process: System Address: 0x87ce9280 Size: -

Object: Hidden Code [ETHREAD: 0x878beda8]

Process: System Address: 0x87d2e7d0 Size: -

Object: Hidden Code [ETHREAD: 0x875d6da8]

Process: System Address: 0x87ccc610 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]

Process: System Address: 0x87cc4760 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]

Process: System Address: 0x87cc4760 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]

Process: System Address: 0x87cc01ac Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]

Process: System Address: 0x87cc01ac Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x87cc4772 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x87cc476c Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x87cc4766 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x87cc4772 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]

Process: System Address: 0x87cc477e Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x87cc4784 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]

Process: System Address: 0x87cc4778 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x87cc4760 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x87cc4760 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x87cc01ac Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x87cc01ac Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x87cc4772 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x87cc476c Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x87cc4766 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x87cc4772 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x87cc477e Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x87cc4784 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x87cc4778 Size: -

Link to post
Share on other sites

DDS (Ver_09-02-01.01) - NTFSx86

Run by GIFTED at 10:51:29.51 on Sun 03/08/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1227 [GMT -4:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)

FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SafeBoot\SbClientManager.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

"C:\WINDOWS\system32\svchost.exe"

C:\WINDOWS\explorer.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE

C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\GIFTED\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: NoExplorer - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"

uRun: [EPSON Stylus Photo R220 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /M "Stylus Photo R220" /EF "HKCU"

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"

mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r

mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"

mRun: [EPSON Stylus Photo R220 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R220"

mRun: [WinampAgent] c:\program files\winamp\winampa.exe

mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sBEVMON.EXE] c:\progra~1\safeboot\vdisk\SBEVMON.EXE -WinLogon

mRun: [safeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\program files\neoteris\secure application manager\gapsp.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} - hxxp://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165103620734

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://gaoportal1.gao.gov/dana-cached/setup/JuniperSetupSP1.cab

DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.4.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

LSA: Notification Packages = SbNp5 scecli

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-2-22 101647]

R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-7-16 44720]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-5 44752]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-2-22 6272]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-2-22 5840]

R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-2-22 34000]

R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-2-22 14960]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2008-2-22 356352]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~2\Tmntsrv.exe [2006-9-18 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2006-8-29 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-11 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~2\tmproxy.exe [2006-8-29 566872]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-29 280392]

S0 rpgr;rpgr;c:\windows\system32\drivers\jkfrnexd.sys --> c:\windows\system32\drivers\jkfrnexd.sys [?]

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-8-16 26488]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-03-08 10:24 18,801 a------- C:\RootRepeal.dmp

2009-03-08 10:21 0 a------- C:\settings.dat

2009-03-08 10:20 446,464 a------- C:\RootRepeal.exe

2009-03-07 18:36 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat

2009-03-07 10:32 <DIR> --d----- c:\windows\pss

2009-03-07 10:30 <DIR> --d----- c:\windows\system32\XPSViewer

2009-03-07 10:30 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-03-07 10:30 575,488 -------- c:\windows\system32\xpsshhdr.dll

2009-03-07 10:30 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll

2009-03-07 10:30 117,760 -------- c:\windows\system32\prntvpt.dll

2009-03-07 10:30 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-03-07 10:30 <DIR> --d----- C:\4eec6e5b9e6f03319333abbc42e7a7

2009-03-07 10:30 1,676,288 -------- c:\windows\system32\xpssvcs.dll

2009-03-07 10:30 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll

2009-03-07 10:29 <DIR> --d----- c:\windows\SxsCaPendDel

2009-03-07 10:27 <DIR> --d----- C:\5dd382b34908719fd5529793495b

2009-03-07 09:33 <DIR> --d----- C:\ComboFix

2009-03-06 23:32 200,712 a------- c:\windows\system32\nvapps.xml

2009-03-06 23:32 453,152 a------- c:\windows\system32\nvuninst.exe

2009-03-06 23:32 453,152 a------- c:\windows\system32\nvudisp.exe

2009-03-06 23:32 18,394 a------- c:\windows\system32\nvdisp.nvu

2009-03-06 21:36 <DIR> --d----- C:\bip

2009-03-05 09:02 <DIR> --d----- c:\docume~1\gifted\applic~1\Malwarebytes

2009-03-05 08:30 <DIR> a-dshr-- C:\cmdcons

2009-03-05 08:28 161,792 a------- c:\windows\SWREG.exe

2009-03-05 08:28 98,816 a------- c:\windows\sed.exe

2009-03-04 09:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-03-03 21:02 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-03-03 21:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-03 21:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-03-03 11:01 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-03-03 11:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-02-10 08:22 <DIR> --d----- c:\program files\Common

==================== Find3M ====================

2009-03-03 08:46 17,920 a------- c:\windows\system32\userinit.exe

2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll

2008-12-19 05:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe

2008-12-19 05:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

2008-12-19 01:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe

2008-12-19 01:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

2008-12-11 06:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 10:51:43.24 ===============

Link to post
Share on other sites

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 12/2/2006 6:28:06 PM

System Uptime: 3/7/2009 8:40:03 AM (26 hours ago)

Motherboard: Dell Inc. | | 0WG864

Processor: Intel® Core2 CPU 6400 @ 2.13GHz | Microprocessor | 2128/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 75.509 GiB free.

D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP757: 12/9/2008 1:19:23 AM - System Checkpoint

RP758: 12/10/2008 1:51:41 AM - System Checkpoint

RP759: 12/11/2008 12:09:58 AM - Restore Operation

RP760: 12/12/2008 2:05:50 AM - System Checkpoint

RP761: 12/13/2008 2:27:47 AM - System Checkpoint

RP762: 12/13/2008 3:00:14 AM - Software Distribution Service 3.0

RP763: 12/14/2008 3:12:36 AM - System Checkpoint

RP764: 12/15/2008 4:12:37 AM - System Checkpoint

RP765: 12/16/2008 5:12:42 AM - System Checkpoint

RP766: 12/17/2008 5:24:38 AM - System Checkpoint

RP767: 12/18/2008 3:00:16 AM - Software Distribution Service 3.0

RP768: 12/19/2008 3:04:19 AM - System Checkpoint

RP769: 12/20/2008 3:13:23 AM - System Checkpoint

RP770: 12/21/2008 4:13:26 AM - System Checkpoint

RP771: 12/21/2008 5:22:52 PM - Removed Scratch LIVE 1.8.1 (18120)

RP772: 12/21/2008 5:23:11 PM - Installed Scratch LIVE 1.8.2 (18221)

RP773: 12/22/2008 5:25:25 PM - System Checkpoint

RP774: 12/23/2008 6:13:26 PM - System Checkpoint

RP775: 12/24/2008 7:13:24 PM - System Checkpoint

RP776: 12/25/2008 7:25:28 PM - System Checkpoint

RP777: 12/26/2008 8:25:29 PM - System Checkpoint

RP778: 12/27/2008 11:07:02 PM - System Checkpoint

RP779: 12/29/2008 1:24:00 AM - System Checkpoint

RP780: 12/30/2008 1:25:34 AM - System Checkpoint

RP781: 12/31/2008 2:13:33 AM - System Checkpoint

RP782: 1/1/2009 2:25:33 AM - System Checkpoint

RP783: 1/2/2009 3:25:38 AM - System Checkpoint

RP784: 1/3/2009 4:13:40 AM - System Checkpoint

RP785: 1/3/2009 7:23:35 PM - Installed Windows XP Wdf01005.

RP786: 1/5/2009 1:18:00 AM - System Checkpoint

RP787: 1/6/2009 1:30:13 AM - System Checkpoint

RP788: 1/7/2009 2:30:11 AM - System Checkpoint

RP789: 1/8/2009 2:42:13 AM - System Checkpoint

RP790: 1/9/2009 3:42:14 AM - System Checkpoint

RP791: 1/10/2009 4:30:15 AM - System Checkpoint

RP792: 1/11/2009 5:30:16 AM - System Checkpoint

RP793: 1/12/2009 6:30:17 AM - System Checkpoint

RP794: 1/13/2009 7:30:19 AM - System Checkpoint

RP795: 1/14/2009 8:55:26 AM - System Checkpoint

RP796: 1/15/2009 3:00:14 AM - Software Distribution Service 3.0

RP797: 1/16/2009 3:47:37 AM - System Checkpoint

RP798: 1/17/2009 4:47:39 AM - System Checkpoint

RP799: 1/18/2009 5:47:38 AM - System Checkpoint

RP800: 1/19/2009 6:47:40 AM - System Checkpoint

RP801: 1/20/2009 7:47:43 AM - System Checkpoint

RP802: 1/21/2009 7:59:44 AM - System Checkpoint

RP803: 1/22/2009 8:52:56 AM - System Checkpoint

RP804: 1/23/2009 9:48:50 AM - System Checkpoint

RP805: 1/24/2009 12:06:37 PM - System Checkpoint

RP806: 1/25/2009 4:39:33 PM - System Checkpoint

RP807: 1/26/2009 4:59:31 PM - System Checkpoint

RP808: 1/27/2009 5:47:50 PM - System Checkpoint

RP809: 1/28/2009 6:47:50 PM - System Checkpoint

RP810: 1/29/2009 6:59:52 PM - System Checkpoint

RP811: 1/30/2009 7:47:53 PM - System Checkpoint

RP812: 1/31/2009 8:47:54 PM - System Checkpoint

RP813: 2/1/2009 8:59:56 PM - System Checkpoint

RP814: 2/2/2009 11:50:52 PM - System Checkpoint

RP815: 2/3/2009 11:59:59 PM - System Checkpoint

RP816: 2/5/2009 1:18:33 AM - System Checkpoint

RP817: 2/6/2009 1:49:54 AM - System Checkpoint

RP818: 2/7/2009 2:00:06 AM - System Checkpoint

RP819: 2/8/2009 2:48:08 AM - System Checkpoint

RP820: 2/9/2009 3:50:48 AM - System Checkpoint

RP821: 2/10/2009 4:48:08 AM - System Checkpoint

RP822: 2/11/2009 3:00:14 AM - Software Distribution Service 3.0

RP823: 2/12/2009 3:13:27 AM - System Checkpoint

RP824: 2/13/2009 4:13:27 AM - System Checkpoint

RP825: 2/14/2009 5:13:28 AM - System Checkpoint

RP826: 2/15/2009 6:13:29 AM - System Checkpoint

RP827: 2/16/2009 7:44:11 AM - System Checkpoint

RP828: 2/17/2009 8:33:53 AM - System Checkpoint

RP829: 2/18/2009 8:57:03 AM - System Checkpoint

RP830: 2/19/2009 9:02:25 AM - System Checkpoint

RP831: 2/20/2009 9:25:34 AM - System Checkpoint

RP832: 2/21/2009 9:26:12 AM - System Checkpoint

RP833: 2/22/2009 11:06:52 AM - System Checkpoint

RP834: 2/22/2009 4:35:13 PM - Restore Operation

RP835: 2/23/2009 4:53:39 PM - System Checkpoint

RP836: 2/24/2009 4:56:51 PM - System Checkpoint

RP837: 2/25/2009 3:00:12 AM - Software Distribution Service 3.0

RP838: 2/25/2009 8:34:19 AM - Restore Operation

RP839: 2/26/2009 3:00:18 AM - Software Distribution Service 3.0

RP840: 2/27/2009 3:00:16 AM - Software Distribution Service 3.0

RP841: 2/28/2009 3:10:55 AM - System Checkpoint

RP842: 3/1/2009 4:10:54 AM - System Checkpoint

RP843: 3/2/2009 5:10:59 AM - System Checkpoint

RP844: 3/2/2009 7:09:51 AM - Removed Bonjour

RP845: 3/2/2009 7:10:36 AM - Removed NetZeroInstallers

RP846: 3/3/2009 7:10:59 AM - System Checkpoint

RP847: 3/3/2009 8:11:19 AM - Removed Documentation & Support Launcher

RP848: 3/3/2009 8:11:56 AM - Removed Games, Music, & Photos Launcher

RP849: 3/3/2009 8:15:56 AM - Removed Digital Content Portal

RP850: 3/5/2009 9:50:47 AM - System Checkpoint

RP851: 3/6/2009 3:00:13 AM - Software Distribution Service 3.0

RP852: 3/6/2009 9:04:35 AM - ComboFix created restore point

RP853: 3/6/2009 8:36:43 PM - ComboFix created restore point

RP854: 3/6/2009 10:11:49 PM - Removed Adobe Reader 7.0.8

RP855: 3/6/2009 10:12:28 PM - Removed J2SE Runtime Environment 5.0 Update 6

RP856: 3/6/2009 10:30:30 PM - Removed NVIDIA PhysX v8.07.18

RP857: 3/7/2009 8:34:18 AM - ComboFix created restore point

RP858: 3/7/2009 9:26:54 AM - Software Distribution Service 3.0

RP859: 3/8/2009 3:00:17 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Audition 1.0

Adobe Audition 2.0

Adobe Flash Player 10 ActiveX

Adobe Photoshop 7.0

Apple Mobile Device Support

Apple Software Update

CDDRV_Installer

Creative MediaSource

Dell CinePlayer

Dell Driver Reset Tool

Dell Support 3.2.1

Dell System Restore

EducateU

EPSON ESPR220 Reference Guide

EPSON Print CD

EPSON Printer Software

ESPNMotion

FlashFXP v3

getPlus®_ocx

Google Toolbar for Internet Explorer

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

IL Download Manager

Intel® Graphics Media Accelerator Driver

Intel® Matrix Storage Manager

Intel® PRO Network Connections

iTunes

Juniper Networks Host Checker

Juniper Terminal Services Client

KhalSetup

Logitech Communications Manager

Logitech SetPoint

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft ActiveSync

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Professional

Microsoft Plus! Digital Media Edition Installer

Microsoft Plus! Photo Story 2 LE

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

Mogul User Guide

Move Networks Media Player for Internet Explorer

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

NVIDIA Drivers

Play MPE Player

QuickTime

RealPlayer

Roxio DLA

Roxio MyDVD LE

Roxio RecordNow Audio

Roxio RecordNow Copy

Roxio RecordNow Data

Scratch LIVE 1.8.2 (18221)

Secure Application Manager

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB960715)

SHOUTcast Source DSP 1.9.0 (remove only)

Sonic Activation Module

Sonic Advanced Decoder

Sonic Encoders

Sonic Update Manager

Sound Blaster X-Fi

Spybot - Search & Destroy

Trend Micro PC-cillin Internet Security 14

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update Rollup 2 for Windows XP Media Center Edition 2005

Ventrilo Client

Warcraft III: All Products

WebFldrs XP

Winamp (remove only)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Format Runtime

Windows Media Player 10

Windows Media Player 10 Hotfix - KB894476

Windows Media Player 10 Hotfix [see EmeraldQFE2 for more information]

Windows XP Media Center Edition 2005 KB908246

Windows XP Media Center Edition 2005 KB912067

Windows XP Service Pack 3

WinRAR archiver

World of Warcraft

Xone Mixed In Key 3

Yahoo! Browser Services

Yahoo! Install Manager

Yahoo! Internet Mail

Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

3/3/2009 8:44:26 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss RsvLock SbPrcCtl Tcpip tmtdi WS2IFSL

3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2009 8:43:31 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/3/2009 8:28:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm RsvLock SbPrcCtl tmtdi

3/3/2009 8:27:00 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

3/3/2009 8:09:01 AM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/3/2009 8:09:01 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.

3/3/2009 8:00:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

3/3/2009 8:00:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

3/3/2009 8:58:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)

3/3/2009 8:59:43 AM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the path specified.

3/3/2009 9:33:47 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

3/3/2009 9:34:35 AM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 1 time(s).

3/3/2009 10:13:45 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume5'. It has stopped monitoring the volume.

3/3/2009 10:31:45 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.

3/3/2009 10:45:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

3/3/2009 8:03:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

3/5/2009 7:22:11 AM, error: Dhcp [1002] - The IP address lease 98.233.23.210 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

3/5/2009 7:38:48 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

3/5/2009 8:15:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

3/5/2009 8:18:43 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

3/5/2009 8:22:07 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 8060c56e, parameter3 b9ce35b0, parameter4 00000000.

3/6/2009 7:36:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)

3/6/2009 8:06:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The SafeBoot Client Manager service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Personal Firewall service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Intel® Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Real-time Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Central Control Component service terminated unexpectedly. It has done this 1 time(s).

3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Link to post
Share on other sites

  • Root Admin

Well both scanners detect an MBR RootKit

You also appear to possibly have a P2P file sharing worm. Do you have any Torrrent or other File Sharing software on this computer?

Path: Volume C:\

Status: MBR Rootkit Detected!

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!

Please run the followoing. Download it from a friends computer or work computer and burn to CD then run on your infected computer.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post
here
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

well i ran the avira scan, but now i cannot log back into my computer. as soon as click on which account to login in as, windows immediately logs me out. any ideas on how to fix that problem???

Avira found the following things:

- Exp/Java.Gmish.B.2 in few jvmimpro.jav......zip files

- TR/Agent.EQF, SPR/Tool.Ln, and SPR/dldr.delf. in a one specifc zip file

- TR/SPY.wsmpoem.KI in several IE...tmp files

- SPR/dldr in digstream.exe

- in the trend micro/quarantine folder was the following:

Tr/Dropper.en

RKIT/Tdss.eyi66

TR/PCK.tdss.f.135

TR/Crypt.XPACK.Gu

RKIT/tdss.eyj.65

-in Qoobox/Quarntine

TR/BHo.lvv in Program Files/Common/helper.dll

TR/Agent.azdy.2 in System 32/a.exe.vir

TR/Crypt.XPACK.gen in System 32/senkaksunebdd.dll.vir

TR/Drop.Agent.Esy in System32/userinit.exe

Link to post
Share on other sites

yes, i was able to use the recovery console and copied the userinit.exe file back to the system32 folder. i was able to login. i just my log and it looks like everything is okay. see below:

Malwarebytes' Anti-Malware 1.34

Database version: 1848

Windows 5.1.2600 Service Pack 3

3/14/2009 4:54:00 AM

mbam-log-2009-03-14 (04-54-00).txt

Scan type: Quick Scan

Objects scanned: 81541

Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.