Jump to content

Infected registry and files won't change


JN1
 Share

Recommended Posts

Hi

(1) Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:44:15 PM, on 4/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\TouchFreeze\TouchFreeze.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Outlook Express\msimn.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070425

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=WE...ZEzv3ynZ0m0ZK04

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BA5514C7-6F20-478B-8C0B-543CBBCC8842} - C:\WINDOWS\system32\BROSNM.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSWeb/msrdp.cab

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 7813 bytes

(2) Here is my MB log:

Malwarebytes' Anti-Malware 1.36

Database version: 1987

Windows 5.1.2600 Service Pack 2

4/16/2009 7:53:54 AM

mbam-log-2009-04-16 (07-53-47).txt

Scan type: Quick Scan

Objects scanned: 81005

Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba5514c7-6f20-478b-8c0b-543cbbcc8842} (Trojan.BHO.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{ba5514c7-6f20-478b-8c0b-543cbbcc8842} (Trojan.BHO.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\BROSNM.dll (Trojan.BHO.H) -> No action taken.

C:\Documents and Settings\JN\Local Settings\Temp\jhpwyrjt.dat (Rootkit.Agent) -> No action taken.

-------------------------

(3) And Here is my Problem:

MB fails to delete these either directly or on the next reboot.

HJT also fails to fix (delete) the registry entry

Manual attempts to delete or edit the registry entries also fail (the registry does not allow me to edit permissions for these);

All programs that I have tried in order to unlock and kill these files (include File Assassin) also failed.

Any suggestions?

Thanks

Link to post
Share on other sites

Hi. :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Hi. :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Thanks for the quick reply. I am attaching the ComboFix log and the Hijack This log. You will note that I tried dragging two files for deletion into Combofix (it failed). The HijackThis log follows. Thanks again.

CF LOG:

ComboFix 09-04-17.01 - JN 04/16/2009 18:17.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1074 [GMT -4:00]

Running from: c:\documents and settings\JN\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\JN\Desktop\cfscript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\documents and settings\JN\Local Settings\Temp\jhpwyrjt.dat

c:\windows\system32\BROSNM.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\JN\Local Settings\Temp\jhpwyrjt.dat . . . . failed to delete

c:\windows\system32\BROSNM.dll . . . . failed to delete

.

((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))

.

2009-04-16 21:02 . 2009-04-16 21:02 -------- dc----w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-04-16 16:50 . 2009-04-16 16:50 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-04-16 14:59 . 2009-04-16 15:00 -------- d-----w C:\New Folder

2009-04-16 02:17 . 2009-04-16 02:17 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\documents and settings\JN\Application Data\SUPERAntiSpyware.com

2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\JN\Application Data\Malwarebytes

2009-04-16 01:54 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-16 01:54 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-15 02:35 . 2009-04-15 23:08 0 ----a-w c:\windows\Ekegatoqe.bin

2009-04-15 02:35 . 2009-04-15 02:35 -------- d-----w c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}

2009-04-15 02:35 . 2009-04-16 01:29 408 ----a-w c:\windows\Qwowadu.dat

2009-04-15 02:16 . 2009-04-15 02:16 615 ----a-w c:\windows\system32\s5NYRKLt8CV2v.vbs

2009-04-13 22:31 . 2003-08-21 06:00 97792 ----a-w c:\windows\system32\BROSNM.dll

2009-04-13 22:31 . 2009-04-13 22:35 69194 ----a-w c:\windows\system32\icudfibxwnyose.dll-uninst.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-16 22:21 . 2009-04-16 22:21 5690 ----a-w C:\avenger.txt

2009-04-16 21:58 . 2009-04-16 21:58 -------- d-----w c:\program files\ACW

2009-04-16 20:38 . 2007-04-25 06:05 28160 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-16 16:07 . 2009-04-16 16:07 -------- d-----w c:\program files\FileASSASSIN

2009-04-16 15:58 . 2009-04-16 15:58 -------- d-----w c:\program files\Enigma Software Group

2009-04-16 15:32 . 2009-04-16 15:26 -------- d-----w c:\program files\RegCure

2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\program files\Common Files\Gibinsoft Shared

2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\program files\GiPo@Utilities

2009-04-16 13:32 . 2009-04-16 13:32 -------- d-----w c:\program files\Unlocker

2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\program files\SUPERAntiSpyware

2009-04-16 01:57 . 2009-04-16 01:57 -------- d-----w c:\program files\Marcos Velasco Security

2009-04-16 01:56 . 2009-04-16 01:56 -------- d-----w c:\program files\CCleaner

2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-15 20:54 . 2009-04-16 00:06 5300 ----a-w C:\Yoog steps.txt

2009-04-15 02:52 . 2009-04-15 02:52 -------- d-----w c:\program files\Trend Micro

2009-04-14 01:39 . 2009-02-24 00:44 -------- d-----w c:\documents and settings\JN\Application Data\LimeWire

2009-04-13 22:15 . 2009-04-13 22:15 -------- d-----w c:\program files\360Share Pro

2009-04-13 20:47 . 2009-04-13 20:47 -------- d-----w c:\program files\7-Zip

2009-04-08 01:40 . 2009-04-08 01:40 -------- d-----w c:\program files\MSECache

2009-03-09 22:18 . 2007-08-13 02:27 24272 ----a-w c:\documents and settings\JN\Application Data\GDIPFONTCACHEV1.DAT

2009-02-28 23:17 . 2009-02-28 23:13 -------- d-----w c:\program files\QuickTax 2008

2009-02-27 00:59 . 2008-01-12 15:42 -------- d-----w c:\documents and settings\JN\Application Data\EndNote

2009-02-24 00:44 . 2007-06-05 21:57 -------- d-----w c:\program files\LimeWire

2009-02-11 14:41 . 2009-02-11 14:41 520851 ----a-w C:\Beatriz PG Life Sciences 2009.eml

2009-01-31 03:11 . 2009-01-31 01:34 84472 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2008-09-24 23:09 . 2007-05-09 23:25 2114 ----a-w c:\documents and settings\JN\Application Data\WWB7_32.DAT

2008-02-24 23:00 . 2008-02-24 23:00 81920 ----a-w c:\documents and settings\JN\Application Data\ezpinst.exe

2008-02-24 23:00 . 2008-02-24 23:00 47360 ----a-w c:\documents and settings\JN\Application Data\pcouffin.sys

2007-07-28 18:06 . 2007-07-28 18:06 722176 ----a-w c:\documents and settings\JN\gotomypc_428.exe

2007-06-04 21:25 . 2007-06-05 22:59 237568 -c--a-w c:\program files\Uninstall Morpheus Toolbar.dll

2007-04-25 06:05 . 2007-10-13 01:37 12328 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2007-04-25 06:05 . 2007-05-05 00:04 12328 ----a-w c:\documents and settings\JN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2007-04-25 05:56 . 2007-10-13 01:37 136 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\fusioncache.dat

2007-04-25 05:56 . 2007-05-05 00:04 136 ----a-w c:\documents and settings\JN\Local Settings\Application Data\fusioncache.dat

2007-04-25 05:56 . 2007-04-25 05:56 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA5514C7-6F20-478B-8C0B-543CBBCC8842}]

2003-08-21 06:00 97792 ----a-w c:\windows\system32\BROSNM.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]

backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe]

2008-04-11 20:17 374272 ----a-w c:\util\mount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]

2009-04-02 18:53 868352 ----a-w c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

"TapiSrv"=3 (0x3)

"SPBBCSvc"=2 (0x2)

"SCardSvr"=2 (0x2)

"S24EventMonitor"=2 (0x2)

"DefWatch"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccEvtMgr"=2 (0x2)

"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R3 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-30 155665]

R3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\NaiFiltr.sys [2001-04-30 24480]

R3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\DRIVERS\OMVA.sys [2002-11-20 14924]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]

S0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\NaiFsRec.sys [2001-04-30 4512]

S0 uowtvoiv;uowtvoiv;c:\windows\system32\drivers\uowtvoiv.sys [2004-08-04 23424]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936]

.

Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job

- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2007-02-09 06:04]

2009-04-16 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-16 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=WEGgZKKQApaAZEzv3ynZ0m0ZK04

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll

FF - ProfilePath - c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Yoog Search

FF - prefs.js: browser.startup.homepage - about:blank

FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=

FF - component: c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

---- FIREFOX POLICIES ----

FF - user.js: google.toolbar.linkdoctor.enabled - false

FF - user.js: browser.search.defaultenginename - Yoog Search

FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=

FF - user.js: browser.search.selectedEngine - Yoog Search

FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=

FF - user.js: keyword.enabled - true

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-16 18:22

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1072)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1128)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(3972)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-04-16 18:25 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-16 22:25

ComboFix2.txt 2009-04-16 20:38

Pre-Run: 52,054,614,016 bytes free

Post-Run: 52,041,674,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

219 --- E O F --- 2008-05-19 19:43

HijakThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:50:59 PM, on 4/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\TouchFreeze\TouchFreeze.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070425

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=WE...ZEzv3ynZ0m0ZK04

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BA5514C7-6F20-478B-8C0B-543CBBCC8842} - C:\WINDOWS\system32\BROSNM.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSWeb/msrdp.cab

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 7582 bytes

Link to post
Share on other sites

Not sure why you dragged the files onto it; you were never asked to. Please stick to the instructions.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\documents and settings\JN\Local Settings\Temp\jhpwyrjt.dat

c:\windows\system32\BROSNM.dll

c:\windows\Ekegatoqe.bin

c:\windows\Qwowadu.dat

c:\windows\system32\s5NYRKLt8CV2v.vbs

c:\windows\system32\icudfibxwnyose.dll-uninst.exe

C:\avenger.txt

c:\program files\Uninstall Morpheus Toolbar.dll

c:\windows\system32\drivers\uowtvoiv.sys

c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

Folder::

c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}

Driver::

uowtvoiv

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA5514C7-6F20-478B-8C0B-543CBBCC8842}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Not sure why you dragged the files onto it; you were never asked to. Please stick to the instructions.

1. Please open Notepad

  • Click Start , then Run

  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt

  • A new HijackThis log.

------------------------------------------------------------

It worked perfectly, thanks for the terrific help. Here are the logs:

Combofix log:

ComboFix 09-04-17.01 - JN 04/16/2009 20:56.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1068 [GMT -4:00]

Running from: c:\documents and settings\JN\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\JN\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

C:\avenger.txt

c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

c:\documents and settings\JN\Local Settings\Temp\jhpwyrjt.dat

c:\program files\Uninstall Morpheus Toolbar.dll

c:\windows\Ekegatoqe.bin

c:\windows\Qwowadu.dat

c:\windows\system32\BROSNM.dll

c:\windows\system32\drivers\uowtvoiv.sys

c:\windows\system32\icudfibxwnyose.dll-uninst.exe

c:\windows\system32\s5NYRKLt8CV2v.vbs

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}

c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\chrome.manifest

c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\chrome\content\_cfg.js

c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\chrome\content\c.js

c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\chrome\content\overlay.xul

c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\install.rdf

c:\documents and settings\JN\Local Settings\Temp\jhpwyrjt.dat

c:\program files\Uninstall Morpheus Toolbar.dll

c:\windows\Ekegatoqe.bin

c:\windows\Qwowadu.dat

c:\windows\system32\BROSNM.dll

c:\windows\system32\drivers\uowtvoiv.sys

c:\windows\system32\icudfibxwnyose.dll-uninst.exe

c:\windows\system32\s5NYRKLt8CV2v.vbs

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_UOWTVOIV

-------\Service_uowtvoiv

((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))

.

2009-04-17 00:20 . 2009-04-17 00:20 -------- d-----w C:\RkUnhooker

2009-04-16 21:02 . 2009-04-16 21:02 -------- dc----w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-04-16 16:50 . 2009-04-16 16:50 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-04-16 14:59 . 2009-04-16 15:00 -------- d-----w C:\New Folder

2009-04-16 02:17 . 2009-04-16 02:17 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\documents and settings\JN\Application Data\SUPERAntiSpyware.com

2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\JN\Application Data\Malwarebytes

2009-04-16 01:54 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-16 01:54 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-17 00:57 . 2004-08-11 22:00 23424 ----a-w c:\windows\system32\drivers\jzjctgks.sys

2009-04-17 00:42 . 2009-04-16 01:57 -------- d-----w c:\program files\Marcos Velasco Security

2009-04-16 21:58 . 2009-04-16 21:58 -------- d-----w c:\program files\ACW

2009-04-16 20:38 . 2007-04-25 06:05 28160 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-16 16:07 . 2009-04-16 16:07 -------- d-----w c:\program files\FileASSASSIN

2009-04-16 15:58 . 2009-04-16 15:58 -------- d-----w c:\program files\Enigma Software Group

2009-04-16 15:32 . 2009-04-16 15:26 -------- d-----w c:\program files\RegCure

2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\program files\Common Files\Gibinsoft Shared

2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\program files\GiPo@Utilities

2009-04-16 13:32 . 2009-04-16 13:32 -------- d-----w c:\program files\Unlocker

2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\program files\SUPERAntiSpyware

2009-04-16 01:56 . 2009-04-16 01:56 -------- d-----w c:\program files\CCleaner

2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-15 20:54 . 2009-04-16 00:06 5300 ----a-w C:\Yoog steps.txt

2009-04-15 02:52 . 2009-04-15 02:52 -------- d-----w c:\program files\Trend Micro

2009-04-14 01:39 . 2009-02-24 00:44 -------- d-----w c:\documents and settings\JN\Application Data\LimeWire

2009-04-13 22:15 . 2009-04-13 22:15 -------- d-----w c:\program files\360Share Pro

2009-04-13 20:47 . 2009-04-13 20:47 -------- d-----w c:\program files\7-Zip

2009-04-08 01:40 . 2009-04-08 01:40 -------- d-----w c:\program files\MSECache

2009-03-09 22:18 . 2007-08-13 02:27 24272 ----a-w c:\documents and settings\JN\Application Data\GDIPFONTCACHEV1.DAT

2009-02-28 23:17 . 2009-02-28 23:13 -------- d-----w c:\program files\QuickTax 2008

2009-02-27 00:59 . 2008-01-12 15:42 -------- d-----w c:\documents and settings\JN\Application Data\EndNote

2009-02-24 00:44 . 2007-06-05 21:57 -------- d-----w c:\program files\LimeWire

2009-02-11 14:41 . 2009-02-11 14:41 520851 ----a-w C:\Beatriz PG Life Sciences 2009.eml

2009-01-31 03:11 . 2009-01-31 01:34 84472 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2008-09-24 23:09 . 2007-05-09 23:25 2114 ----a-w c:\documents and settings\JN\Application Data\WWB7_32.DAT

2008-02-24 23:00 . 2008-02-24 23:00 81920 ----a-w c:\documents and settings\JN\Application Data\ezpinst.exe

2008-02-24 23:00 . 2008-02-24 23:00 47360 ----a-w c:\documents and settings\JN\Application Data\pcouffin.sys

2007-07-28 18:06 . 2007-07-28 18:06 722176 ----a-w c:\documents and settings\JN\gotomypc_428.exe

2007-04-25 06:05 . 2007-10-13 01:37 12328 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2007-04-25 06:05 . 2007-05-05 00:04 12328 ----a-w c:\documents and settings\JN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2007-04-25 05:56 . 2007-10-13 01:37 136 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\fusioncache.dat

2007-04-25 05:56 . 2007-05-05 00:04 136 ----a-w c:\documents and settings\JN\Local Settings\Application Data\fusioncache.dat

2007-04-25 05:56 . 2007-04-25 05:56 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]

backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe]

2008-04-11 20:17 374272 ----a-w c:\util\mount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]

2009-04-02 18:53 868352 ----a-w c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

"TapiSrv"=3 (0x3)

"SPBBCSvc"=2 (0x2)

"SCardSvr"=2 (0x2)

"S24EventMonitor"=2 (0x2)

"DefWatch"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccEvtMgr"=2 (0x2)

"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R3 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-30 155665]

R3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\NaiFiltr.sys [2001-04-30 24480]

R3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\DRIVERS\OMVA.sys [2002-11-20 14924]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]

S0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\NaiFsRec.sys [2001-04-30 4512]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - UOWTVOIV

.

Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job

- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2007-02-09 06:04]

2009-04-16 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-16 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=WEGgZKKQApaAZEzv3ynZ0m0ZK04

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll

FF - ProfilePath - c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Yoog Search

FF - prefs.js: browser.startup.homepage - about:blank

FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=

---- FIREFOX POLICIES ----

FF - user.js: google.toolbar.linkdoctor.enabled - false

FF - user.js: browser.search.defaultenginename - Yoog Search

FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=

FF - user.js: browser.search.selectedEngine - Yoog Search

FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=

FF - user.js: keyword.enabled - true

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-16 21:01

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1124)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(1664)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-04-17 21:04 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-17 01:04

ComboFix2.txt 2009-04-16 22:25

ComboFix3.txt 2009-04-16 20:38

Pre-Run: 51,987,410,944 bytes free

Post-Run: 51,985,735,680 bytes free

230 --- E O F --- 2008-05-19 19:43

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:15:17 PM, on 4/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\TouchFreeze\TouchFreeze.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070425

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=WE...ZEzv3ynZ0m0ZK04

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSWeb/msrdp.cab

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 7474 bytes

And one more MB log:

Malwarebytes' Anti-Malware 1.36

Database version: 1989

Windows 5.1.2600 Service Pack 2

4/16/2009 9:35:12 PM

mbam-log-2009-04-16 (21-35-12).txt

Scan type: Quick Scan

Objects scanned: 80694

Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------

Again, THANK YOU very much for the excellent help and support!!

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\drivers\jzjctgks.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

1. Please open Notepad
  • Click Start , then Run

  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt

  • A new HijackThis log.

-----------------------------

OK, here is the Combofix Log:

ComboFix 09-04-17.01 - JN 04/16/2009 22:34.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1155 [GMT -4:00]

Running from: c:\documents and settings\JN\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\JN\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\system32\drivers\jzjctgks.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\jzjctgks.sys

.

((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))

.

2009-04-17 00:20 . 2009-04-17 00:20 -------- d-----w C:\RkUnhooker

2009-04-16 21:02 . 2009-04-16 21:02 -------- dc----w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-04-16 16:50 . 2009-04-16 16:50 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-04-16 14:59 . 2009-04-16 15:00 -------- d-----w C:\New Folder

2009-04-16 02:17 . 2009-04-16 02:17 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\documents and settings\JN\Application Data\SUPERAntiSpyware.com

2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\JN\Application Data\Malwarebytes

2009-04-16 01:54 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-16 01:54 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-17 01:53 . 2009-04-16 01:57 -------- d-----w c:\program files\Marcos Velasco Security

2009-04-17 01:50 . 2007-05-09 22:24 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-04-17 01:50 . 2007-05-19 12:23 -------- d-----w c:\program files\Lavasoft

2009-04-17 01:49 . 2009-04-16 15:58 -------- d-----w c:\program files\Enigma Software Group

2009-04-17 01:48 . 2008-05-30 00:15 -------- d-----w c:\program files\EasyZip

2009-04-16 21:58 . 2009-04-16 21:58 -------- d-----w c:\program files\ACW

2009-04-16 20:38 . 2007-04-25 06:05 28160 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-16 16:07 . 2009-04-16 16:07 -------- d-----w c:\program files\FileASSASSIN

2009-04-16 15:32 . 2009-04-16 15:26 -------- d-----w c:\program files\RegCure

2009-04-16 13:32 . 2009-04-16 13:32 -------- d-----w c:\program files\Unlocker

2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\program files\SUPERAntiSpyware

2009-04-16 01:56 . 2009-04-16 01:56 -------- d-----w c:\program files\CCleaner

2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-15 20:54 . 2009-04-16 00:06 5300 ----a-w C:\Yoog steps.txt

2009-04-15 02:52 . 2009-04-15 02:52 -------- d-----w c:\program files\Trend Micro

2009-04-14 01:39 . 2009-02-24 00:44 -------- d-----w c:\documents and settings\JN\Application Data\LimeWire

2009-04-13 22:15 . 2009-04-13 22:15 -------- d-----w c:\program files\360Share Pro

2009-04-13 20:47 . 2009-04-13 20:47 -------- d-----w c:\program files\7-Zip

2009-04-08 01:40 . 2009-04-08 01:40 -------- d-----w c:\program files\MSECache

2009-03-09 22:18 . 2007-08-13 02:27 24272 ----a-w c:\documents and settings\JN\Application Data\GDIPFONTCACHEV1.DAT

2009-02-28 23:17 . 2009-02-28 23:13 -------- d-----w c:\program files\QuickTax 2008

2009-02-27 00:59 . 2008-01-12 15:42 -------- d-----w c:\documents and settings\JN\Application Data\EndNote

2009-02-24 00:44 . 2007-06-05 21:57 -------- d-----w c:\program files\LimeWire

2009-02-11 14:41 . 2009-02-11 14:41 520851 ----a-w C:\Beatriz PG Life Sciences 2009.eml

2009-01-31 03:11 . 2009-01-31 01:34 84472 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2008-09-24 23:09 . 2007-05-09 23:25 2114 ----a-w c:\documents and settings\JN\Application Data\WWB7_32.DAT

2008-02-24 23:00 . 2008-02-24 23:00 81920 ----a-w c:\documents and settings\JN\Application Data\ezpinst.exe

2008-02-24 23:00 . 2008-02-24 23:00 47360 ----a-w c:\documents and settings\JN\Application Data\pcouffin.sys

2007-07-28 18:06 . 2007-07-28 18:06 722176 ----a-w c:\documents and settings\JN\gotomypc_428.exe

2007-04-25 06:05 . 2007-10-13 01:37 12328 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2007-04-25 06:05 . 2007-05-05 00:04 12328 ----a-w c:\documents and settings\JN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2007-04-25 05:56 . 2007-10-13 01:37 136 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\fusioncache.dat

2007-04-25 05:56 . 2007-05-05 00:04 136 ----a-w c:\documents and settings\JN\Local Settings\Application Data\fusioncache.dat

2007-04-25 05:56 . 2007-04-25 05:56 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-04-17_01.01.13 )))))))))))))))))))))))))))))))))))))))))

.

+ 2004-08-11 22:00 . 2009-04-17 02:05 72134 c:\windows\system32\perfc009.dat

- 2004-08-11 22:00 . 2009-04-16 01:39 72134 c:\windows\system32\perfc009.dat

+ 2004-08-11 22:12 . 2008-10-16 18:12 202776 c:\windows\system32\wuweb.dll

+ 2004-08-11 22:00 . 2009-04-17 02:05 443034 c:\windows\system32\perfh009.dat

- 2004-08-11 22:00 . 2009-04-16 01:39 443034 c:\windows\system32\perfh009.dat

+ 2004-08-11 22:12 . 2008-10-16 18:12 202776 c:\windows\system32\dllcache\wuweb.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]

backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

"TapiSrv"=3 (0x3)

"SPBBCSvc"=2 (0x2)

"SCardSvr"=2 (0x2)

"S24EventMonitor"=2 (0x2)

"DefWatch"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccEvtMgr"=2 (0x2)

"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R3 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-30 155665]

R3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\NaiFiltr.sys [2001-04-30 24480]

R3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\DRIVERS\OMVA.sys [2002-11-20 14924]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]

S0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\NaiFsRec.sys [2001-04-30 4512]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936]

.

Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job

- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2007-02-09 06:04]

2009-04-16 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-16 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=WEGgZKKQApaAZEzv3ynZ0m0ZK04

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll

FF - ProfilePath - c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Yoog Search

FF - prefs.js: browser.startup.homepage - about:blank

FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=

FF - component: c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

---- FIREFOX POLICIES ----

FF - user.js: google.toolbar.linkdoctor.enabled - false

FF - user.js: browser.search.defaultenginename - Yoog Search

FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=

FF - user.js: browser.search.selectedEngine - Yoog Search

FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=

FF - user.js: keyword.enabled - true

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-16 22:38

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1116)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(2516)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-04-17 22:41 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-17 02:41

ComboFix2.txt 2009-04-17 02:30

ComboFix3.txt 2009-04-17 01:04

ComboFix4.txt 2009-04-16 22:25

ComboFix5.txt 2009-04-17 02:33

Pre-Run: 51,951,304,704 bytes free

Post-Run: 51,936,419,840 bytes free

207 --- E O F --- 2008-05-19 19:43

And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:46:48 PM, on 4/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\TouchFreeze\TouchFreeze.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070425

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=WE...ZEzv3ynZ0m0ZK04

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1239933614671

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSWeb/msrdp.cab

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 7615 bytes

Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.