Jump to content

Recommended Posts

I am getting a 'warning you have a security problem' alert button in my task bar and every so offten IE will try and open ffhdghdgh.com (which our proxy blocks).

After running your Maleware remover it shows I have a couple of 'false trojan alerts' keys in my registry. It removes them and then reboots. After rebooting the problem is still there and running Malware shows the same problem. Following is the Hijack and Malware logs.

MALWARE LOG:

Malwarebytes' Anti-Malware 1.35

Database version: 1938

Windows 5.1.2600 Service Pack 3

4/3/2009 4:34:19 PM

mbam-log-2009-04-03 (16-34-19).txt

Scan type: Quick Scan

Objects scanned: 82479

Time elapsed: 5 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\promo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HIJACK LOG:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:13:08 PM, on 4/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\AClient\AClient.exe

C:\Program Files\Equitrac\Professional\Client\EQSharedEngine.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\PDF Complete\pdfsty.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe

C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\PROGRA~1\SHOREL~1\SHOREW~1\STCHost.exe

C:\PROGRA~1\SHOREL~1\SHOREW~1\CSISCMGR.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luceweb/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/

F2 - REG:system.ini: Shell=Explorer.exe, c:\pjet\PJETSE.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: LookUp Precision - {3DF1974F-9A93-4EF8-9E52-1F93B7FA6765} - C:\PROGRA~1\WRPCLI~1\webtrack.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe

O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

O4 - HKCU\..\Run: [shoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Error Recovery Guide.lnk = ?

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://sdmcxaac.lfhs.com

O15 - Trusted Zone: http://sircxaac.lfhs.com

O15 - Trusted Zone: http://slacxaac.lfhs.com

O15 - Trusted Zone: http://srscxaac.lfhs.com

O15 - Trusted Zone: http://ssdcxaac.lfhs.com

O15 - Trusted Zone: http://ssfcxaac.lfhs.com

O16 - DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} (Shoretel SClientInstall) - http://10.21.10.140/ShoreWareDirector/clie...ientInstall.ocx

O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - https://production.ms.svcrqst.xerox.com/pro...lOptionPack.cab

O20 - AppInit_DLLs: PTAPISP.DLL EQDtpSp.dll

O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe

O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Professional\Client\EQSharedEngine.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe

O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 10697 bytes

Link to post
Share on other sites

Please don't bump your topic. Your post will not get lost.

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

The following are the requested logs. PLEASE note that after running Combofix the problem is now gone.

Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:29, on 2009-04-06

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\AClient\AClient.exe

C:\Program Files\Equitrac\Professional\Client\EQSharedEngine.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\PDF Complete\pdfsty.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe

C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Altiris\AClient\AClntUsr.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\PROGRA~1\SHOREL~1\SHOREW~1\STCHost.exe

C:\PROGRA~1\SHOREL~1\SHOREW~1\CSISCMGR.exe

C:\Program Files\MICROSOFT OFFICE\OFFICE11\OUTLOOK.EXE

C:\PROGRA~1\SHOREL~1\SHOREW~1\Agent.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\PROGRAM FILES\Microsystems\DocXamine\DocXManager.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Network Associates\VirusScan\MCUPDATE.EXE

C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luceweb/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: LookUp Precision - {3DF1974F-9A93-4EF8-9E52-1F93B7FA6765} - C:\PROGRA~1\WRPCLI~1\webtrack.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe

O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [shoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Error Recovery Guide.lnk = ?

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://sdmcxaac.lfhs.com

O15 - Trusted Zone: http://sircxaac.lfhs.com

O15 - Trusted Zone: http://slacxaac.lfhs.com

O15 - Trusted Zone: http://srscxaac.lfhs.com

O15 - Trusted Zone: http://ssdcxaac.lfhs.com

O15 - Trusted Zone: http://ssfcxaac.lfhs.com

O16 - DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} (Shoretel SClientInstall) - http://10.21.10.140/ShoreWareDirector/clie...ientInstall.ocx

O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - https://production.ms.svcrqst.xerox.com/pro...lOptionPack.cab

O20 - AppInit_DLLs: PTAPISP.DLL EQDtpSp.dll

O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe

O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Professional\Client\EQSharedEngine.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe

O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 9875 bytes

COMBOFIX LOG:

ComboFix 09-04-04.01 - Imaging 2009-04-06 13:16:06.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1345 [GMT -7:00]

Running from: c:\documents and settings\Imaging\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

.

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))

.

2009-04-03 16:26 . 2009-04-03 16:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-04-03 16:26 . 2009-04-03 16:26 <DIR> d-------- c:\documents and settings\Imaging\Application Data\Malwarebytes

2009-04-03 16:26 . 2009-04-03 16:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-03 16:26 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-03 16:26 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-02 17:19 . 2009-04-02 17:19 <DIR> d-------- c:\program files\Trend Micro

2009-04-02 16:47 . 2009-04-02 20:27 <DIR> d-------- C:\T.MYRICK 4-2-09

2009-04-01 18:07 . 2009-04-01 18:07 <DIR> d-------- c:\documents and settings\Imaging\Application Data\True Sword

2009-04-01 18:04 . 2009-04-03 14:14 <DIR> d-------- c:\program files\True Sword 5

2009-04-01 17:19 . 2009-04-03 19:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-01 17:17 . 2009-04-01 17:50 <DIR> d-------- c:\windows\SxsCaPendDel

2009-04-01 16:06 . 2009-04-01 16:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard

2009-04-01 16:05 . 2009-04-01 16:05 <DIR> d-------- c:\program files\Common Files\iS3

2009-04-01 16:05 . 2009-04-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-03-24 09:09 . 2009-03-27 13:18 130,040,832 --a------ C:\RDH Chemical.pst

2009-03-12 12:05 . 2009-03-12 12:05 <DIR> d-------- c:\documents and settings\Imaging\Tracing

2009-03-12 12:04 . 2009-03-12 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Applications

2009-03-12 12:04 . 2008-12-22 14:43 82,768 --a------ c:\windows\system32\lmdimon8.dll

2009-03-10 12:41 . 2009-04-06 09:05 2,401 --a------ c:\windows\system32\drivers\AlKernel.sys

2009-03-10 12:41 . 2009-04-06 09:05 1,380 --a------ C:\AClient.cfg

2009-03-10 12:41 . 2009-03-10 16:57 41 --a------ C:\AClient.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-06 16:08 --------- d-----w c:\documents and settings\Imaging\Application Data\ShoreWare Client

2009-04-01 18:29 67 ----a-w c:\program files\090331.WordFiles.txt

2009-04-01 18:22 32,256 ----a-w c:\windows\system32\userinit.exe

2009-03-26 18:05 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks

2009-03-10 19:41 --------- d-----w c:\program files\Altiris

2009-03-09 15:22 69 ----a-w c:\program files\090116.OutlookDates.txt

2009-02-10 20:14 81 ----a-w c:\program files\090210.Imaging.IEintranetaddition.txt

2009-02-10 20:14 57 ----a-w c:\program files\090210.TimeService.txt

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys

2009-01-30 19:55 54 ----a-w c:\program files\090130.LFHSmainUpDate.txt

2009-01-19 18:35 57 ----a-w c:\program files\090116.XP.txt

2009-01-17 05:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll

2009-01-12 17:18 110 ----a-w c:\program files\090108.nrtEchoPrune.txt

2008-12-31 21:00 110 ----a-w c:\program files\081226.nrtEchoPrune.txt

2008-12-26 18:45 353 ----a-w c:\program files\echopruneinstall.bat

2008-12-26 18:35 57 ----a-w c:\program files\echoprune.bat

2008-12-22 16:44 58 ----a-w c:\program files\081218.IE7.txt

2008-12-22 16:42 67 ----a-w c:\program files\081216.WordFiles.txt

2008-12-13 17:28 67 ----a-w c:\program files\081211.WordFiles.txt

2008-10-30 02:46 56 ----a-w c:\program files\081023.Imaging.NK2Fix.txt

2008-09-29 19:54 77 ----a-w c:\program files\080917.Imaging.IEtrustedSites.txt

2008-09-04 04:43 110 ----a-w c:\program files\080821.nrtEchoPrune.txt

2008-08-13 23:12 103 ----a-w c:\program files\080812.QV-IEintegration.txt

2008-06-23 19:46 73 ----a-w c:\program files\080620.Imaging.OfficeHelpFix.txt

2008-06-23 19:46 62 ----a-w c:\program files\080619.Imaging.PowerPointClipArtFix.txt

2008-05-27 23:46 67 ----a-w c:\program files\080508.Imaging.OLsecsetfix.txt

2008-03-20 16:23 48 ----a-w c:\program files\080307.DocXTools.txt

2008-03-14 19:28 66 ----a-w c:\program files\080312.Imaging.OLsecZ3fix.txt

2008-01-24 19:33 50 ----a-w c:\program files\080122.LiveMeeting.txt

2008-01-22 18:50 60 ----a-w c:\program files\080118.Best.txt

2008-01-22 18:50 60 ----a-w c:\program files\080116.Best.txt

2008-01-22 18:50 54 ----a-w c:\program files\080117.Defrag.txt

2007-12-28 19:15 60 ----a-w c:\program files\071220.Imaging.Printerupgrade.txt

2007-12-06 21:37 54 ----a-w c:\program files\071128.Imaging.Printerupgrade.txt

2007-11-26 16:00 61 ----a-w c:\program files\071116.Imaging.Printerupgrade.txt

2007-10-15 14:53 67 ----a-w c:\program files\071003.Word2003Macros.txt

2007-09-24 14:53 56 ----a-w c:\program files\070920.Interwoven.txt

2007-08-27 22:09 0 ----a-w c:\program files\070814.USCF.txt

2007-06-25 22:04 103 ----a-w c:\program files\070615.CarpeDiem.txt

2007-03-07 23:26 59 ----a-w c:\program files\070306.NewDST.txt

2007-01-11 17:04 66 ----a-w c:\program files\070110.USCF.txt

2005-09-19 23:19 150,490 ----a-w c:\program files\CBUSetup.zip

2005-09-09 19:17 62 ----a-w c:\program files\041006.Imaging.SigFix.txt

2005-09-09 19:16 74 ----a-w c:\program files\030703.Imaging.WordEnvironReg.txt

2005-01-13 19:40 78 ----a-w c:\program files\4400.txt

2003-12-16 22:02 60 ----a-w c:\program files\pjettest.txt

2008-08-20 23:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat

.

------- Sigcheck -------

2004-08-04 00:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe

2008-04-13 17:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe

2009-04-01 11:22 32256 05e3d55791817b245c1aa8468a69837e c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ShoreTel Personal Call Manager"="c:\program files\Shoreline Communications\ShoreWare Client\StartCli.exe" [2008-03-29 41000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2005-03-06 276480]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-01-10 5513216]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-01-10 86016]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"FtLnSOP_setup"="c:\windows\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2003-12-19 212992]

"FJTWAIN Setup"="c:\windows\Twain_32\fjscan32\FjtwSetup.exe" [2003-04-24 126976]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-09-24 868352]

"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2009-04-06 184320]

"nwiz"="nwiz.exe" [2005-01-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2006-12-08 25214]

Error Recovery Guide.lnk - c:\program files\PFU\Error Recovery Guide\FTErGuid.exe [2005-09-07 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=PTAPISP.DLL EQDtpSp.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Kf650a;Kf650a;c:\windows\system32\drivers\Kf650a2k.sys [2005-09-07 16405]

R0 KofaxIO;KofaxIO;c:\windows\system32\drivers\KofaxIO.sys [2005-09-07 41976]

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-07 58464]

R2 EQSharedEngine;EQ Shared Engine;c:\program files\Equitrac\Professional\Client\EQSharedEngine.exe [2007-09-06 1683456]

R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [2005-09-07 8704]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2005-07-25 476160]

R3 CBUSB;MARX CryptoTech LP;c:\windows\system32\drivers\CBUSB.sys [2005-09-19 45056]

R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2005-09-07 11520]

S2 MarxDev2;MarxDev2; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88db8807-2410-11dc-8bb2-001321ca777f}]

\Shell\AutoRun\command - E:\Help!.exe

\Shell\open\command - E:\Help!.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\defragtues.job

- C:\ [2009-04-06 13:17]

2009-03-25 c:\windows\Tasks\echoprune.job

- c:\program files\echoprune.bat [2008-12-26 11:35]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

HKLM-Run-Network Associates Error Reporting Service - c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://luceweb/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: lfhs.com\sdmcxaac

Trusted Zone: lfhs.com\sircxaac

Trusted Zone: lfhs.com\slacxaac

Trusted Zone: lfhs.com\srscxaac

Trusted Zone: lfhs.com\ssdcxaac

Trusted Zone: lfhs.com\ssfcxaac

DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} - hxxps://production.ms.svcrqst.xerox.com/prodfalcon/service_enu/16279/applets/SiebelOptionPack.cab

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-06 13:17:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)

c:\windows\system32\PTAPISP.DLL

- - - - - - - > 'lsass.exe'(788)

c:\windows\system32\PTAPISP.DLL

.

Completion time: 2009-04-06 13:19:15

ComboFix-quarantined-files.txt 2009-04-06 20:19:10

Pre-Run: 85,207,236,608 bytes free

Post-Run: 85,291,950,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

206 --- E O F --- 2009-03-21 04:57:20

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

E:\Help!.exe

Driver::

MarxDev2

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88db8807-2410-11dc-8bb2-001321ca777f}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Ok it all seemed to go well.

ANewHighjackthis LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:19, on 04/06/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\AClient\AClient.exe

C:\Program Files\Equitrac\Professional\Client\EQSharedEngine.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\PDF Complete\pdfsty.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe

C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Altiris\AClient\AClntUsr.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\SHOREL~1\SHOREW~1\STCHost.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\PROGRA~1\SHOREL~1\SHOREW~1\CSISCMGR.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luceweb/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: LookUp Precision - {3DF1974F-9A93-4EF8-9E52-1F93B7FA6765} - C:\PROGRA~1\WRPCLI~1\webtrack.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe

O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [shoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Error Recovery Guide.lnk = ?

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://sdmcxaac.lfhs.com

O15 - Trusted Zone: http://sircxaac.lfhs.com

O15 - Trusted Zone: http://slacxaac.lfhs.com

O15 - Trusted Zone: http://srscxaac.lfhs.com

O15 - Trusted Zone: http://ssdcxaac.lfhs.com

O15 - Trusted Zone: http://ssfcxaac.lfhs.com

O16 - DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} (Shoretel SClientInstall) - http://10.21.10.140/ShoreWareDirector/clie...ientInstall.ocx

O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - https://production.ms.svcrqst.xerox.com/pro...lOptionPack.cab

O20 - AppInit_DLLs: PTAPISP.DLL EQDtpSp.dll

O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe

O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Professional\Client\EQSharedEngine.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe

O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 9532 bytes

Combofix LOG

ComboFix 09-04-04.01 - Imaging 2009-04-06 19:02:53.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1418 [GMT -7:00]

Running from: c:\documents and settings\Imaging\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Imaging\Desktop\CFScript.txt

* Created a new restore point

* Resident AV is active

FILE ::

E:\Help!.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MARXDEV2

-------\Service_MarxDev2

((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))

.

2009-04-03 16:26 . 2009-04-03 16:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-04-03 16:26 . 2009-04-03 16:26 <DIR> d-------- c:\documents and settings\Imaging\Application Data\Malwarebytes

2009-04-03 16:26 . 2009-04-03 16:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-03 16:26 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-03 16:26 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-02 17:19 . 2009-04-02 17:19 <DIR> d-------- c:\program files\Trend Micro

2009-04-02 16:47 . 2009-04-02 20:27 <DIR> d-------- C:\T.MYRICK 4-2-09

2009-04-01 18:07 . 2009-04-01 18:07 <DIR> d-------- c:\documents and settings\Imaging\Application Data\True Sword

2009-04-01 18:04 . 2009-04-03 14:14 <DIR> d-------- c:\program files\True Sword 5

2009-04-01 17:19 . 2009-04-03 19:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-01 17:17 . 2009-04-01 17:50 <DIR> d-------- c:\windows\SxsCaPendDel

2009-04-01 16:06 . 2009-04-01 16:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard

2009-04-01 16:05 . 2009-04-01 16:05 <DIR> d-------- c:\program files\Common Files\iS3

2009-04-01 16:05 . 2009-04-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-03-24 09:09 . 2009-03-27 13:18 130,040,832 --a------ C:\RDH Chemical.pst

2009-03-12 12:05 . 2009-03-12 12:05 <DIR> d-------- c:\documents and settings\Imaging\Tracing

2009-03-12 12:04 . 2009-03-12 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Applications

2009-03-12 12:04 . 2008-12-22 14:43 82,768 --a------ c:\windows\system32\lmdimon8.dll

2009-03-10 12:41 . 2009-04-06 19:08 2,401 --a------ c:\windows\system32\drivers\AlKernel.sys

2009-03-10 12:41 . 2009-04-06 19:08 1,380 --a------ C:\AClient.cfg

2009-03-10 12:41 . 2009-03-10 16:57 41 --a------ C:\AClient.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-06 20:24 --------- d-----w c:\documents and settings\Imaging\Application Data\ShoreWare Client

2009-04-01 18:29 67 ----a-w c:\program files\090331.WordFiles.txt

2009-03-26 18:05 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks

2009-03-10 19:41 --------- d-----w c:\program files\Altiris

2009-03-09 15:22 69 ----a-w c:\program files\090116.OutlookDates.txt

2009-02-10 20:14 81 ----a-w c:\program files\090210.Imaging.IEintranetaddition.txt

2009-02-10 20:14 57 ----a-w c:\program files\090210.TimeService.txt

2009-01-30 19:55 54 ----a-w c:\program files\090130.LFHSmainUpDate.txt

2009-01-19 18:35 57 ----a-w c:\program files\090116.XP.txt

2009-01-12 17:18 110 ----a-w c:\program files\090108.nrtEchoPrune.txt

2008-12-31 21:00 110 ----a-w c:\program files\081226.nrtEchoPrune.txt

2008-12-26 18:45 353 ----a-w c:\program files\echopruneinstall.bat

2008-12-26 18:35 57 ----a-w c:\program files\echoprune.bat

2008-12-22 16:44 58 ----a-w c:\program files\081218.IE7.txt

2008-12-22 16:42 67 ----a-w c:\program files\081216.WordFiles.txt

2008-12-13 17:28 67 ----a-w c:\program files\081211.WordFiles.txt

2008-10-30 02:46 56 ----a-w c:\program files\081023.Imaging.NK2Fix.txt

2008-09-29 19:54 77 ----a-w c:\program files\080917.Imaging.IEtrustedSites.txt

2008-09-04 04:43 110 ----a-w c:\program files\080821.nrtEchoPrune.txt

2008-08-13 23:12 103 ----a-w c:\program files\080812.QV-IEintegration.txt

2008-06-23 19:46 73 ----a-w c:\program files\080620.Imaging.OfficeHelpFix.txt

2008-06-23 19:46 62 ----a-w c:\program files\080619.Imaging.PowerPointClipArtFix.txt

2008-05-27 23:46 67 ----a-w c:\program files\080508.Imaging.OLsecsetfix.txt

2008-03-20 16:23 48 ----a-w c:\program files\080307.DocXTools.txt

2008-03-14 19:28 66 ----a-w c:\program files\080312.Imaging.OLsecZ3fix.txt

2008-01-24 19:33 50 ----a-w c:\program files\080122.LiveMeeting.txt

2008-01-22 18:50 60 ----a-w c:\program files\080118.Best.txt

2008-01-22 18:50 60 ----a-w c:\program files\080116.Best.txt

2008-01-22 18:50 54 ----a-w c:\program files\080117.Defrag.txt

2007-12-28 19:15 60 ----a-w c:\program files\071220.Imaging.Printerupgrade.txt

2007-12-06 21:37 54 ----a-w c:\program files\071128.Imaging.Printerupgrade.txt

2007-11-26 16:00 61 ----a-w c:\program files\071116.Imaging.Printerupgrade.txt

2007-10-15 14:53 67 ----a-w c:\program files\071003.Word2003Macros.txt

2007-09-24 14:53 56 ----a-w c:\program files\070920.Interwoven.txt

2007-08-27 22:09 0 ----a-w c:\program files\070814.USCF.txt

2007-06-25 22:04 103 ----a-w c:\program files\070615.CarpeDiem.txt

2007-03-07 23:26 59 ----a-w c:\program files\070306.NewDST.txt

2007-01-11 17:04 66 ----a-w c:\program files\070110.USCF.txt

2005-09-19 23:19 150,490 ----a-w c:\program files\CBUSetup.zip

2005-09-09 19:17 62 ----a-w c:\program files\041006.Imaging.SigFix.txt

2005-09-09 19:16 74 ----a-w c:\program files\030703.Imaging.WordEnvironReg.txt

2005-01-13 19:40 78 ----a-w c:\program files\4400.txt

2003-12-16 22:02 60 ----a-w c:\program files\pjettest.txt

2008-08-20 23:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-04-06_13.18.01.68 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\dllcache\userinit.exe

- 2009-04-01 18:22:10 32,256 ----a-w c:\windows\system32\userinit.exe

+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ShoreTel Personal Call Manager"="c:\program files\Shoreline Communications\ShoreWare Client\StartCli.exe" [2008-03-29 41000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2005-03-06 276480]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-01-10 5513216]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-01-10 86016]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"FtLnSOP_setup"="c:\windows\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2003-12-19 212992]

"FJTWAIN Setup"="c:\windows\Twain_32\fjscan32\FjtwSetup.exe" [2003-04-24 126976]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-09-24 868352]

"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2009-04-06 184320]

"nwiz"="nwiz.exe" [2005-01-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2006-12-08 25214]

Error Recovery Guide.lnk - c:\program files\PFU\Error Recovery Guide\FTErGuid.exe [2005-09-07 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=PTAPISP.DLL EQDtpSp.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Kf650a;Kf650a;c:\windows\system32\drivers\Kf650a2k.sys [2005-09-07 16405]

R0 KofaxIO;KofaxIO;c:\windows\system32\drivers\KofaxIO.sys [2005-09-07 41976]

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-07 58464]

R2 EQSharedEngine;EQ Shared Engine;c:\program files\Equitrac\Professional\Client\EQSharedEngine.exe [2007-09-06 1683456]

R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [2005-09-07 8704]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2005-07-25 476160]

R3 CBUSB;MARX CryptoTech LP;c:\windows\system32\drivers\CBUSB.sys [2005-09-19 45056]

R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2005-09-07 11520]

.

Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\defragtues.job

- C:\ [2009-04-06 19:08]

2009-03-25 c:\windows\Tasks\echoprune.job

- c:\program files\echoprune.bat [2008-12-26 11:35]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://luceweb/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: lfhs.com\sdmcxaac

Trusted Zone: lfhs.com\sircxaac

Trusted Zone: lfhs.com\slacxaac

Trusted Zone: lfhs.com\srscxaac

Trusted Zone: lfhs.com\ssdcxaac

Trusted Zone: lfhs.com\ssfcxaac

DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} - hxxps://production.ms.svcrqst.xerox.com/prodfalcon/service_enu/16279/applets/SiebelOptionPack.cab

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-06 19:08:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Altiris\AClient\ACLIENT.EXE

c:\windows\system32\LxrJD31s.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\Network Associates\VirusScan\mcshield.exe

c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\program files\Network Associates\VirusScan\vstskmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\MsPMSPSv.exe

c:\progra~1\SHOREL~1\SHOREW~1\STCHost.exe

c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

c:\progra~1\SHOREL~1\SHOREW~1\CSISCMGR.exe

.

**************************************************************************

.

Completion time: 2009-04-06 19:12:06 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-07 02:12:02

ComboFix2.txt 2009-04-06 20:19:17

Pre-Run: 85,222,457,344 bytes free

Post-Run: 85,153,390,592 bytes free

209 --- E O F --- 2009-03-21 04:57:20

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.