Jump to content

Cant remove Rogue.Agent, Trojan.Agent and Rootkit.Trace


Recommended Posts

Hi,

I have ran Malwarebytes full scan several times but the same infections remain after rebooting.

Mbam and HijackThis logs follow.

Please help.

Thanks

Neil

Malwarebytes' Anti-Malware 1.40

Database version: 2649

Windows 5.1.2600 Service Pack 3

08/19/09 11:00:00 AM

mbam-log-2009-08-19 (11-00-00).txt

Scan type: Quick Scan

Objects scanned: 110522

Time elapsed: 9 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\UACalqekcpqsn.dll (Rogue.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\UACalqekcpqsn.dll (Rogue.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:04:55 AM, on 08/19/09

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\TomTom HOME 2\HOMERunner.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UniPrint.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\run-mbam.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\SYSTEM32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [uniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Antivirus\osCheck.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.learningplanet.com/act/mre/index.asp"

O4 - HKLM\..\Policies\Explorer\Run: []

O4 - HKUS\S-1-5-19\..\Run: [rugudukehe] Rundll32.exe "C:\WINDOWS\system32\hilayori.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [rugudukehe] Rundll32.exe "C:\WINDOWS\system32\hilayori.dll",s (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-3840902678-793521057-3591099756-1009\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'QBDataServiceUser17')

O4 - S-1-5-21-3840902678-793521057-3591099756-1009 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'QBDataServiceUser17')

O4 - S-1-5-21-3840902678-793521057-3591099756-1009 User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'QBDataServiceUser17')

O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')

O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')

O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: UniPrint.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1120C1B3-8768-11D1-8108-020701190C00} (Spicer View Control) - http://10.23.81.58/edmsnet/ImageAx/Spicer73.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229781164000

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {658FB985-BC22-4FF9-BCD3-894101DAF28D} (AnnotationHandler.AnnotationManager) - http://10.23.81.58/edmsnet/ImageAx/Annotations.CAB

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229781154328

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} (TIClientControl Object) - https://techinline.net/Client/TIClient.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://exact.webex.com/client/T26L/support/ieatgpc.cab

O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://map.hamilton.ca/InteractiveMaps/ACGM/Acgm.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SafeNet Monitor Service (IPSECMON) - Unknown owner - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe (file missing)

O23 - Service: SafeNet IKE Service (IREIKE) - Unknown owner - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~3\QBDBMgrN.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 16223 bytes

Link to post
Share on other sites

  • Staff

Hi ncairns and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi ncairns and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

New MBAM log follows:

Malwarebytes' Anti-Malware 1.40

Database version: 2663

Windows 5.1.2600 Service Pack 3

08/20/09 7:32:27 AM

mbam-log-2009-08-20 (07-32-27).txt

Scan type: Quick Scan

Objects scanned: 109453

Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\UACalqekcpqsn.dll (Rogue.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\UACalqekcpqsn.dll (Rogue.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

New MBAM log follows:

Malwarebytes' Anti-Malware 1.40

Database version: 2663

Windows 5.1.2600 Service Pack 3

08/20/09 7:32:27 AM

mbam-log-2009-08-20 (07-32-27).txt

Scan type: Quick Scan

Objects scanned: 109453

Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\UACalqekcpqsn.dll (Rogue.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\UACalqekcpqsn.dll (Rogue.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

ComboFix log:

ComboFix 09-08-19.06 - Neil 08/20/09 7:56.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.557 [GMT -4:00]

Running from: c:\documents and settings\Neil\My Documents\My Software\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\dat.txt

c:\windows\Downloaded Program Files\empty-part-dbl

c:\windows\Downloaded Program Files\empty-part-dbl\_pd

c:\windows\Downloaded Program Files\Fonts

c:\windows\Downloaded Program Files\Fonts\dvrdef.dat

c:\windows\Downloaded Program Files\Fonts\fontlib

c:\windows\Downloaded Program Files\Fonts\pdfdict.ps

c:\windows\Downloaded Program Files\Fonts\startup.ps

c:\windows\Downloaded Program Files\Fonts\type1.ps

c:\windows\Downloaded Program Files\sfigs

c:\windows\Downloaded Program Files\sfigs\mpd\lib\decal\rev\_pd

c:\windows\Downloaded Program Files\sfigs\mpd\lib\form\sheet\a0\_pd

c:\windows\Fonts\GREENPNT.TTF

c:\windows\Fonts\QBFimbul.ttf

c:\windows\Installer\7d2ae8.msp

c:\windows\system32\drivers\UACttkosswwbi.sys

c:\windows\system32\dumphive.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\UACalqekcpqsn.dll

c:\windows\system32\UACavicblnspy.dll

c:\windows\system32\UACgwvbloyqml.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACthbwipcbmb.dat

c:\windows\system32\uferilor.ini

c:\windows\system32\usivabiy.ini

c:\windows\winhelp.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))

.

2009-08-19 16:08 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\NAVEX15.SYS

2009-08-19 16:08 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\NAVENG.SYS

2009-08-19 16:08 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\NAVEX32A.DLL

2009-08-19 16:08 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\NAVENG32.DLL

2009-08-19 16:08 . 2009-08-18 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\ECMSVR32.DLL

2009-08-19 16:08 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\CCERASER.DLL

2009-08-19 16:08 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\ERASER.SYS

2009-08-19 16:08 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\EECTRL.SYS

2009-08-19 15:04 . 2009-08-19 15:04 -------- d-----w- c:\program files\Trend Micro

2009-08-19 12:29 . 2009-08-19 12:29 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\assembly

2009-08-17 17:50 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\NAVEX15.SYS

2009-08-17 17:50 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\NAVEX32A.DLL

2009-08-17 17:50 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\NAVENG.SYS

2009-08-17 17:50 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\NAVENG32.DLL

2009-08-17 17:50 . 2009-08-04 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\ECMSVR32.DLL

2009-08-17 17:50 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\ERASER.SYS

2009-08-17 17:50 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\EECTRL.SYS

2009-08-17 17:50 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\CCERASER.DLL

2009-08-12 11:59 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-06 19:02 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-08-06 19:02 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-08-06 19:02 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe

2009-08-06 19:02 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-08-06 19:01 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-08-06 19:01 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-08-06 19:01 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2009-08-06 19:01 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-08-06 19:01 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-08-06 19:01 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-08-06 18:58 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-08-06 18:58 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-08-06 18:48 . 2009-08-06 18:49 -------- d-----w- c:\program files\Virtual Earth 3D

2009-08-06 18:48 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

2009-07-29 04:37 . 2009-07-29 04:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2009-07-29 04:37 . 2009-07-29 04:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2009-07-22 23:43 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-22 23:43 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-22 23:43 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-22 23:43 . 2009-07-22 23:44 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-22 23:43 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-22 23:43 . 2009-08-18 14:25 -------- d-----w- c:\program files\Spyware Doctor

2009-07-22 23:43 . 2009-07-22 23:43 -------- d-----w- c:\documents and settings\Neil\Application Data\PC Tools

2009-07-22 23:43 . 2009-07-22 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-07-22 17:05 . 2009-07-22 17:05 422 ----a-w- c:\documents and settings\Neil\Application Data\AdobeUM\mario.exe

2009-07-22 17:05 . 2009-07-22 17:05 16141 ----a-w- c:\documents and settings\Neil\Application Data\Apple Computer\flamiks32.exe

2009-07-22 17:05 . 2009-07-22 17:05 145131 ----a-w- c:\documents and settings\Neil\Application Data\Ahead\pingo.dll

2009-07-22 17:05 . 2009-07-22 17:05 13221 ----a-w- c:\documents and settings\Neil\Application Data\AdobeAUM\xl12.exe

2009-07-22 17:05 . 2009-07-22 17:05 11232 ----a-w- c:\documents and settings\Neil\Application Data\Adobe\norigami.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-20 12:12 . 2006-12-18 15:21 -------- d-----w- c:\program files\Symantec AntiVirus

2009-08-18 15:15 . 2008-03-20 17:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-18 15:13 . 2009-04-01 18:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-18 14:30 . 2006-08-19 23:43 -------- d-----w- c:\program files\Google

2009-08-17 20:43 . 2008-01-17 21:41 10772 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys

2009-08-17 20:31 . 2009-01-24 16:35 4953 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2009-08-11 07:33 . 2008-04-11 17:00 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-05 09:01 . 2006-02-27 02:17 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 17:36 . 2009-04-01 18:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 17:36 . 2009-04-01 18:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-29 04:37 . 2006-02-27 02:17 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2006-02-27 02:17 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-28 16:09 . 2009-01-29 17:43 -------- d-----w- c:\documents and settings\Neil\Application Data\uTorrent

2009-07-24 13:37 . 2007-07-09 16:14 -------- d-----w- c:\program files\MSECache

2009-07-22 20:35 . 2009-06-17 04:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-22 20:09 . 2009-04-01 15:33 117760 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-22 19:09 . 2009-04-07 19:14 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-22 17:13 . 2007-10-29 15:07 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-17 19:01 . 2006-02-27 02:17 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 17:38 . 2008-03-08 15:53 -------- d-----w- c:\documents and settings\Neil\Application Data\U3

2009-07-15 16:56 . 2009-01-28 18:13 816384 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB18\Patch\qbpatch2.exe

2009-07-14 03:43 . 2006-02-27 02:17 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2006-02-27 02:17 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2006-02-27 02:17 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2006-02-27 02:17 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2006-02-27 02:17 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2006-02-27 02:17 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2006-02-27 02:17 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2006-02-27 02:17 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2006-02-27 02:17 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2006-02-27 02:17 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2006-02-27 02:17 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-17 13:27 . 2009-06-17 13:27 152576 ----a-w- c:\documents and settings\Neil\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-06-12 12:31 . 2006-02-27 02:17 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2006-02-27 02:17 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2006-02-27 10:31 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2006-02-27 02:17 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2006-02-27 02:17 1291264 ----a-w- c:\windows\system32\quartz.dll

2007-08-29 13:07 . 2007-08-29 13:07 2293712 -c--a-w- c:\program files\FLV PlayerFCSetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-15 7557120]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]

"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-03-15 1769472]

"SpeedTouch USB Diagnostics"="c:\program files\Virgin Net Broadband\Dragdiag.exe" [2004-01-26 866816]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]

"UniPrint"="c:\progra~1\UniPrint\Client\SetDfltSettings.exe" [2003-12-07 81920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2005-01-08 61952]

"NDSTray.exe"="NDSTray.exe" [bU]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-02-15 1519616]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

"CFSServ.exe"="CFSServ.exe" [bU]

c:\documents and settings\QBDataServiceUser17\Start Menu\Programs\Startup\

IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2006-8-12 298]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-5-20 967960]

UniPrint.exe [2004-1-21 425984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-04-01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-04-01 15:31 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [07/22/09 7:43 PM 130936]

R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [12/20/08 6:14 AM 19478]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/06 1:53 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/27/07 12:39 PM 55024]

R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [12/20/08 6:14 AM 635017]

R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [12/20/08 6:14 AM 431236]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/01/09 2:42 PM 232720]

R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [09/27/06 8:33 PM 116464]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [08/31/06 3:25 PM 36188]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [06/03/09 10:21 AM 101936]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/01/09 2:42 PM 19096]

S2 Crypto;Crypto; [x]

S2 IPSECDRV;SafeNet IPSec Plugin;\??\c:\windows\system32\Drivers\IPSECDRV.sys --> c:\windows\system32\Drivers\IPSECDRV.sys [?]

S2 VERSALdr;ULS VersaLaser Engraver Firmware LoaderUSB\VID_10C3&PID_012C.DeviceDesc=ULS VersaLaser Air Compressor Firmware Loader;c:\windows\system32\drivers\VERSABL.sys [06/24/03 4:49 PM 10112]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/16/06 5:51 PM 4096]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [07/22/09 7:43 PM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Neil.job

- c:\program files\Malwarebytes' Anti-Malware\run-mbam.exe [2009-04-01 17:36]

2009-08-19 c:\windows\Tasks\Malwarebytes' Scheduled Update for Neil.job

- c:\program files\Malwarebytes' Anti-Malware\run-mbam.exe [2009-04-01 17:36]

2009-08-19 c:\windows\Tasks\User_Feed_Synchronization-{85E57AB6-D53F-4360-A9F4-FE9588AFCBDF}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30;

HKLM-Run-osCheck - c:\program files\Norton Antivirus\osCheck.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://sympatico.msn.ca/

uInternet Settings,ProxyOverride = *.local

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll

DPF: {1120C1B3-8768-11D1-8108-020701190C00} - hxxp://10.23.81.58/edmsnet/ImageAx/Spicer73.cab

DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab

DPF: {658FB985-BC22-4FF9-BCD3-894101DAF28D} - hxxp://10.23.81.58/edmsnet/ImageAx/Annotations.CAB

DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab

DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-20 08:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3840902678-793521057-3591099756-1006\Software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=hex:00,00,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1356)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1388)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe

c:\windows\system32\nvsvc32.exe

c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wscntfy.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\program files\Synaptics\SynTP\Toshiba.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\TOSHIBA\ConfigFree\CFSServ.exe

c:\documents and settings\All Users\Start Menu\Programs\Startup\UniPrint.exe

c:\program files\HP\hpcoretech\comp\hptskmgr.exe

.

**************************************************************************

.

Completion time: 2009-08-20 8:25 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-20 12:24

Pre-Run: 24,442,691,584 bytes free

Post-Run: 27,157,458,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

327 --- E O F --- 2009-08-16 18:59

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:33:03 AM, on 08/20/09

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\TomTom HOME 2\HOMERunner.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UniPrint.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Neil\My Documents\My Software\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [uniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-3840902678-793521057-3591099756-1009\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'QBDataServiceUser17')

O4 - HKUS\S-1-5-21-3840902678-793521057-3591099756-1009\..\Run: [CPM03efa320] Rundll32.exe "c:\windows\system32\tujaguno.dll",a (User 'QBDataServiceUser17')

O4 - HKUS\S-1-5-21-3840902678-793521057-3591099756-1009\..\Run: [rugudukehe] Rundll32.exe "C:\WINDOWS\system32\hilayori.dll",s (User 'QBDataServiceUser17')

O4 - S-1-5-21-3840902678-793521057-3591099756-1009 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'QBDataServiceUser17')

O4 - S-1-5-21-3840902678-793521057-3591099756-1009 User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'QBDataServiceUser17')

O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')

O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')

O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: UniPrint.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1120C1B3-8768-11D1-8108-020701190C00} (Spicer View Control) - http://10.23.81.58/edmsnet/ImageAx/Spicer73.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229781164000

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {658FB985-BC22-4FF9-BCD3-894101DAF28D} (AnnotationHandler.AnnotationManager) - http://10.23.81.58/edmsnet/ImageAx/Annotations.CAB

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229781154328

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} (TIClientControl Object) - https://techinline.net/Client/TIClient.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://exact.webex.com/client/T26L/support/ieatgpc.cab

O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://map.hamilton.ca/InteractiveMaps/ACGM/Acgm.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SafeNet Monitor Service (IPSECMON) - Unknown owner - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe (file missing)

O23 - Service: SafeNet IKE Service (IREIKE) - Unknown owner - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~3\QBDBMgrN.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 15156 bytes

Link to post
Share on other sites

  • Staff

Hi,

Please go to VirusTotal, and upload the following files for analysis:

c:\windows\system32\mswebdvd.dll

c:\windows\system32\xpsp4res.dll

Post the results in your reply.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=22042
File::
c:\documents and settings\QBDataServiceUser17\Start Menu\Programs\Startup\IEHOME.LNK
c:\documents and settings\Default User\Local Settings\Temp\iehome.bat
Driver::
Crypto

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in addition to a new HijackThis log in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Link to post
Share on other sites

Hi,

Please go to VirusTotal, and upload the following files for analysis:

c:\windows\system32\mswebdvd.dll

c:\windows\system32\xpsp4res.dll

Post the results in your reply.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=22042
File::
c:\documents and settings\QBDataServiceUser17\Start Menu\Programs\Startup\IEHOME.LNK
c:\documents and settings\Default User\Local Settings\Temp\iehome.bat
Driver::
Crypto

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in addition to a new HijackThis log in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Link to post
Share on other sites

ComboFix 09-08-19.0C - Neil 08/20/09 15:36.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.415 [GMT -4:00]

Running from: c:\documents and settings\Neil\My Documents\My Software\ComboFix.exe

Command switches used :: c:\documents and settings\Neil\My Documents\My Software\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::

"c:\documents and settings\Default User\Local Settings\Temp\iehome.bat"

"c:\documents and settings\QBDataServiceUser17\Start Menu\Programs\Startup\IEHOME.LNK"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Default User\Local Settings\Temp\iehome.bat

c:\documents and settings\QBDataServiceUser17\Start Menu\Programs\Startup\IEHOME.LNK

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_Crypto

((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))

.

2009-08-19 16:08 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\NAVEX15.SYS

2009-08-19 16:08 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\NAVENG.SYS

2009-08-19 16:08 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\NAVEX32A.DLL

2009-08-19 16:08 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\NAVENG32.DLL

2009-08-19 16:08 . 2009-08-18 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\ECMSVR32.DLL

2009-08-19 16:08 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\CCERASER.DLL

2009-08-19 16:08 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\ERASER.SYS

2009-08-19 16:08 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2403.vdb\EECTRL.SYS

2009-08-19 15:04 . 2009-08-19 15:04 -------- d-----w- c:\program files\Trend Micro

2009-08-19 12:29 . 2009-08-19 12:29 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\assembly

2009-08-17 17:50 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\NAVEX15.SYS

2009-08-17 17:50 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\NAVEX32A.DLL

2009-08-17 17:50 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\NAVENG.SYS

2009-08-17 17:50 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\NAVENG32.DLL

2009-08-17 17:50 . 2009-08-04 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\ECMSVR32.DLL

2009-08-17 17:50 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\ERASER.SYS

2009-08-17 17:50 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\EECTRL.SYS

2009-08-17 17:50 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0803.vdb\CCERASER.DLL

2009-08-12 11:59 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-06 19:02 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-08-06 19:02 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-08-06 19:02 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe

2009-08-06 19:02 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-08-06 19:01 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-08-06 19:01 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-08-06 19:01 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2009-08-06 19:01 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-08-06 19:01 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-08-06 19:01 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-08-06 18:58 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-08-06 18:58 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-08-06 18:48 . 2009-08-06 18:49 -------- d-----w- c:\program files\Virtual Earth 3D

2009-08-06 18:48 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

2009-07-29 04:37 . 2009-07-29 04:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2009-07-29 04:37 . 2009-07-29 04:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2009-07-22 23:43 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-22 23:43 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-22 23:43 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-22 23:43 . 2009-07-22 23:44 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-22 23:43 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-22 23:43 . 2009-08-18 14:25 -------- d-----w- c:\program files\Spyware Doctor

2009-07-22 23:43 . 2009-07-22 23:43 -------- d-----w- c:\documents and settings\Neil\Application Data\PC Tools

2009-07-22 23:43 . 2009-07-22 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-07-22 17:05 . 2009-07-22 17:05 422 ----a-w- c:\documents and settings\Neil\Application Data\AdobeUM\mario.exe

2009-07-22 17:05 . 2009-07-22 17:05 16141 ----a-w- c:\documents and settings\Neil\Application Data\Apple Computer\flamiks32.exe

2009-07-22 17:05 . 2009-07-22 17:05 145131 ----a-w- c:\documents and settings\Neil\Application Data\Ahead\pingo.dll

2009-07-22 17:05 . 2009-07-22 17:05 13221 ----a-w- c:\documents and settings\Neil\Application Data\AdobeAUM\xl12.exe

2009-07-22 17:05 . 2009-07-22 17:05 11232 ----a-w- c:\documents and settings\Neil\Application Data\Adobe\norigami.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-20 19:59 . 2006-12-18 15:21 -------- d-----w- c:\program files\Symantec AntiVirus

2009-08-20 19:57 . 2009-01-29 17:43 -------- d-----w- c:\documents and settings\Neil\Application Data\uTorrent

2009-08-18 15:15 . 2008-03-20 17:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-18 15:13 . 2009-04-01 18:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-18 14:30 . 2006-08-19 23:43 -------- d-----w- c:\program files\Google

2009-08-17 20:43 . 2008-01-17 21:41 10772 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys

2009-08-17 20:31 . 2009-01-24 16:35 4953 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2009-08-11 07:33 . 2008-04-11 17:00 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-05 09:01 . 2006-02-27 02:17 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 17:36 . 2009-04-01 18:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 17:36 . 2009-04-01 18:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-29 04:37 . 2006-02-27 02:17 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2006-02-27 02:17 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-24 13:37 . 2007-07-09 16:14 -------- d-----w- c:\program files\MSECache

2009-07-22 20:35 . 2009-06-17 04:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-22 20:09 . 2009-04-01 15:33 117760 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-22 19:09 . 2009-04-07 19:14 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-22 17:13 . 2007-10-29 15:07 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-17 19:01 . 2006-02-27 02:17 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 17:38 . 2008-03-08 15:53 -------- d-----w- c:\documents and settings\Neil\Application Data\U3

2009-07-15 16:56 . 2009-01-28 18:13 816384 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB18\Patch\qbpatch2.exe

2009-07-14 03:43 . 2006-02-27 02:17 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2006-02-27 02:17 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2006-02-27 02:17 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2006-02-27 02:17 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2006-02-27 02:17 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2006-02-27 02:17 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2006-02-27 02:17 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2006-02-27 02:17 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2006-02-27 02:17 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2006-02-27 02:17 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2006-02-27 02:17 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-17 13:27 . 2009-06-17 13:27 152576 ----a-w- c:\documents and settings\Neil\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-06-12 12:31 . 2006-02-27 02:17 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2006-02-27 02:17 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2006-02-27 10:31 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2006-02-27 02:17 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2006-02-27 02:17 1291264 ----a-w- c:\windows\system32\quartz.dll

2007-08-29 13:07 . 2007-08-29 13:07 2293712 -c--a-w- c:\program files\FLV PlayerFCSetup.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-08-20_12.12.24 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-20 19:58 . 2009-08-20 19:58 16384 c:\windows\Temp\Perflib_Perfdata_5f4.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-15 7557120]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]

"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-03-15 1769472]

"SpeedTouch USB Diagnostics"="c:\program files\Virgin Net Broadband\Dragdiag.exe" [2004-01-26 866816]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]

"UniPrint"="c:\progra~1\UniPrint\Client\SetDfltSettings.exe" [2003-12-07 81920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2005-01-08 61952]

"NDSTray.exe"="NDSTray.exe" [bU]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-02-15 1519616]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

"CFSServ.exe"="CFSServ.exe" [bU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-5-20 967960]

UniPrint.exe [2004-1-21 425984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-04-01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-04-01 15:31 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [07/22/09 7:43 PM 130936]

R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [12/20/08 6:14 AM 19478]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/06 1:53 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/27/07 12:39 PM 55024]

R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [12/20/08 6:14 AM 635017]

R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [12/20/08 6:14 AM 431236]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/01/09 2:42 PM 232720]

R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [09/27/06 8:33 PM 116464]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [08/31/06 3:25 PM 36188]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [06/03/09 10:21 AM 101936]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/01/09 2:42 PM 19096]

S2 IPSECDRV;SafeNet IPSec Plugin;\??\c:\windows\system32\Drivers\IPSECDRV.sys --> c:\windows\system32\Drivers\IPSECDRV.sys [?]

S2 VERSALdr;ULS VersaLaser Engraver Firmware LoaderUSB\VID_10C3&PID_012C.DeviceDesc=ULS VersaLaser Air Compressor Firmware Loader;c:\windows\system32\drivers\VERSABL.sys [06/24/03 4:49 PM 10112]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/16/06 5:51 PM 4096]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [07/22/09 7:43 PM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Neil.job

- c:\program files\Malwarebytes' Anti-Malware\run-mbam.exe [2009-04-01 17:36]

2009-08-19 c:\windows\Tasks\Malwarebytes' Scheduled Update for Neil.job

- c:\program files\Malwarebytes' Anti-Malware\run-mbam.exe [2009-04-01 17:36]

2009-08-20 c:\windows\Tasks\User_Feed_Synchronization-{85E57AB6-D53F-4360-A9F4-FE9588AFCBDF}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://sympatico.msn.ca/

uInternet Settings,ProxyOverride = *.local

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll

DPF: {1120C1B3-8768-11D1-8108-020701190C00} - hxxp://10.23.81.58/edmsnet/ImageAx/Spicer73.cab

DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab

DPF: {658FB985-BC22-4FF9-BCD3-894101DAF28D} - hxxp://10.23.81.58/edmsnet/ImageAx/Annotations.CAB

DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab

DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-20 16:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3840902678-793521057-3591099756-1006\Software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=hex:00,00,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1420)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1600)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe

c:\windows\system32\nvsvc32.exe

c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wscntfy.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\program files\Synaptics\SynTP\Toshiba.exe

c:\program files\iPod\bin\iPodService.exe

c:\documents and settings\All Users\Start Menu\Programs\Startup\UniPrint.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\HP\hpcoretech\comp\hptskmgr.exe

.

**************************************************************************

.

Completion time: 2009-08-20 16:10 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-20 20:10

ComboFix2.txt 2009-08-20 12:25

Pre-Run: 26,696,622,080 bytes free

Post-Run: 26,710,200,320 bytes free

294 --- E O F --- 2009-08-16 18:59

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:22:11 PM, on 08/20/09

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\TomTom HOME 2\HOMERunner.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UniPrint.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Neil\My Documents\My Software\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [HP Component Manager] "c:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [uniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-3840902678-793521057-3591099756-1009\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'QBDataServiceUser17')

O4 - HKUS\S-1-5-21-3840902678-793521057-3591099756-1009\..\Run: [CPM03efa320] Rundll32.exe "c:\windows\system32\tujaguno.dll",a (User 'QBDataServiceUser17')

O4 - HKUS\S-1-5-21-3840902678-793521057-3591099756-1009\..\Run: [rugudukehe] Rundll32.exe "C:\WINDOWS\system32\hilayori.dll",s (User 'QBDataServiceUser17')

O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: UniPrint.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1120C1B3-8768-11D1-8108-020701190C00} (Spicer View Control) - http://10.23.81.58/edmsnet/ImageAx/Spicer73.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229781164000

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {658FB985-BC22-4FF9-BCD3-894101DAF28D} (AnnotationHandler.AnnotationManager) - http://10.23.81.58/edmsnet/ImageAx/Annotations.CAB

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229781154328

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} (TIClientControl Object) - https://techinline.net/Client/TIClient.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://exact.webex.com/client/T26L/support/ieatgpc.cab

O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://map.hamilton.ca/InteractiveMaps/ACGM/Acgm.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SafeNet Monitor Service (IPSECMON) - Unknown owner - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe (file missing)

O23 - Service: SafeNet IKE Service (IREIKE) - Unknown owner - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~3\QBDBMgrN.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 14599 bytes

Link to post
Share on other sites

Security Check log:

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Windows Live OneCare safety scanner

Windows Live OneCare safety scanner

Symantec AntiVirus

``````````````````````````````

Anti-malware/Other Utilities Check:

Spyware Doctor 6.0

SUPERAntiSpyware Free Edition

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 13

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus SavRoam.exe

Symantec AntiVirus Rtvscan.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

  • Staff

Hi,

Before we continue, please go to this website, and complete the form as follows:

Link to topic where this file was requested: http://www.malwarebytes.org/forums/index.php?showtopic=22042

Browse to the file you want to submit:

Click Browse, and navigate to the following file:

C:\qoobox\quarantine\c:documents and settings\Default User\Local Settings\Temp\iehome.bat.vir

Leave any comments, further information about this file, or contact information: iehome.bat for screen317

Let me know when that's done.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.