BWarriner

Members
  • Content Count

    66
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by BWarriner

  1. ComboFix 09-12-11.01 - xxxxxxxxxxxxxxxxxxxx 12/11/2009 15:14:14.6.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2631 [GMT -6:00] Running from: c:\documents and settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected Restored copy from - c:\windows\SYSTEM32\ReinstallBackups16\DriverFiles\iaStor.sys . ((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 ))))))))))))))))))))))))))))))) . 2009-12-11 19:34 . 2009-12-11 19:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-12-10 09:25 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2009-11-18 06:02 . 2009-11-18 06:03 -------- d-----w- c:\program files\Safari 2009-11-18 05:41 . 2009-11-18 06:00 -------- d-----w- c:\program files\iPod 2009-11-18 05:41 . 2009-11-18 06:00 -------- d-----w- c:\program files\iTunes 2009-11-18 05:41 . 2009-11-18 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-11-18 05:38 . 2009-11-18 05:39 -------- d-----w- c:\program files\QuickTime 2009-11-16 23:41 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll 2009-11-16 23:40 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll 2009-11-12 01:32 . 2009-11-12 01:32 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Sony Corporation 2009-11-12 01:30 . 2007-04-05 00:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll 2009-11-12 01:30 . 2007-04-05 00:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll 2009-11-12 01:28 . 2006-06-12 09:30 89264 ----a-w- c:\windows\system32\drivers\DRVMCDB.SYS 2009-11-12 01:28 . 2006-03-17 14:35 5660 ----a-w- c:\windows\system32\drivers\DLACDBHM.SYS 2009-11-12 01:28 . 2006-03-17 11:20 40544 ----a-w- c:\windows\system32\drivers\DRVNDDM.SYS 2009-11-12 01:28 . 2009-11-12 01:28 -------- d-----w- c:\windows\system32\DLA 2009-11-12 01:28 . 2006-06-13 11:20 94263 ----a-w- c:\windows\DLA.EXE 2009-11-12 01:28 . 2006-06-13 11:20 61500 ----a-w- c:\windows\system32\DLAAPI_W.DLL 2009-11-12 01:28 . 2006-03-17 14:34 22684 ----a-w- c:\windows\system32\drivers\DLARTL_N.SYS 2009-11-12 01:28 . 2009-11-12 01:28 -------- d-----w- c:\program files\Sonic 2009-11-12 01:25 . 2009-11-12 01:25 -------- d-----w- c:\program files\Sony 2009-11-12 01:23 . 2009-11-12 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-11 21:34 . 2007-01-20 08:27 -------- d-----w- c:\program files\Symantec AntiVirus 2009-12-11 21:08 . 2003-07-03 06:00 274816 ----a-w- c:\windows\system32\drivers\iaStor.sys 2009-12-11 04:34 . 2009-03-17 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-12-10 08:33 . 2009-03-20 23:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-10 08:32 . 2009-12-10 08:32 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-10 08:20 . 2006-06-09 23:04 -------- d-----w- c:\program files\HiJack This 2009-12-10 05:47 . 2003-11-26 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software 2009-12-10 05:46 . 2003-11-26 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-12-04 23:07 . 2009-03-17 02:39 -------- d-----w- c:\program files\Google 2009-12-03 22:14 . 2009-03-20 23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 22:13 . 2009-03-20 23:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-28 02:00 . 2009-09-25 22:50 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2009-11-25 16:17 . 2009-12-11 16:53 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-11-25 16:17 . 2009-12-11 16:53 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-11-25 16:17 . 2009-12-11 16:53 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe 2009-11-24 16:49 . 2008-01-16 00:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-18 06:57 . 2009-09-03 22:56 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Apple Computer 2009-11-18 06:01 . 2009-11-18 06:01 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2009-11-18 06:00 . 2009-09-03 22:53 -------- d-----w- c:\program files\Common Files\Apple 2009-11-18 05:33 . 2009-11-18 05:33 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-11-15 21:39 . 2009-09-03 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-11-08 20:11 . 2004-06-08 23:38 -------- d-----w- c:\program files\LimeWire 2009-11-04 00:05 . 2009-03-21 19:42 -------- d-----w- c:\program files\Java 2009-11-04 00:04 . 2009-11-04 00:04 152576 ----a-w- c:\documents and settings\xxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-10-29 07:45 . 2004-02-06 23:05 916480 ------w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-17 02:15 . 2009-06-19 23:24 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-10-13 10:30 . 2002-08-29 11:00 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2002-08-29 11:00 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2002-08-29 11:00 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-11 10:17 . 2009-03-19 03:07 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-25 22:51 . 2009-06-19 23:24 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-09-25 22:51 . 2009-06-19 23:24 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-09-25 22:51 . 2009-06-19 23:24 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-09-25 22:51 . 2009-05-29 22:27 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-09-25 22:51 . 2009-09-25 22:51 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll 2009-09-25 22:51 . 2009-06-19 23:24 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-09-25 22:51 . 2009-06-19 23:24 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-09-25 22:51 . 2009-06-19 23:24 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-09-25 22:51 . 2009-05-29 22:27 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-09-25 22:51 . 2009-05-29 22:27 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-09-25 22:50 . 2009-09-25 22:50 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys 2009-09-25 22:50 . 2009-05-29 22:27 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-09-25 22:50 . 2009-09-25 22:50 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe 2009-09-25 22:50 . 2009-06-19 23:24 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-09-25 22:50 . 2009-06-19 23:24 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-09-25 22:50 . 2009-06-19 23:24 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-09-25 22:50 . 2009-06-19 23:24 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe 2009-09-25 22:50 . 2009-06-19 23:24 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-09-25 22:50 . 2009-06-19 23:24 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-25 126976] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "CTDVDDET"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-21 198160] c:\documents and settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-18 19:30 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] 2009-09-25 22:50 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2009-12-11 16:52 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] 2003-08-29 09:59 122880 ----a-w- c:\windows\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] 2003-09-10 20:47 61440 ----a-w- c:\dell\BLDBUBG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] 2006-08-11 19:56 17920 ----a-w- c:\windows\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] 2006-08-11 19:56 18944 ----a-w- c:\windows\SYSTEM32\CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg] 2006-08-11 19:53 42496 ----a-w- c:\windows\SYSTEM32\CTXFIREG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] 2008-06-12 15:00 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient] 2004-05-28 01:05 323584 ----a-w- c:\program files\Common Files\Dell\EUSW\Support.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWITOOLBOX] 2003-07-24 06:28 290816 ----a-w- c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-10-29 02:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] 2003-06-18 18:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2008-06-23 15:05 244208 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-17 15:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-03-21 16:07 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\hub.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\lightwav.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\modeler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/31/2009 9:07 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [1/2/2009 6:41 PM 335240] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/2/2009 6:05 PM 297752] S2 gupdate1c9a6a9f2595210;Google Update Service (gupdate1c9a6a9f2595210);c:\program files\Google\Update\GoogleUpdate.exe [3/16/2009 8:41 PM 133104] S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [6/23/2008 9:08 AM 362992] S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [6/23/2008 9:06 AM 309744] S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [6/23/2008 9:06 AM 166384] S2 SessionLauncher;SessionLauncher;c:\docume~1\xxxxxxx~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\xxxxxx~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1028432] S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [6/23/2008 9:08 AM 313840] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/23/2008 9:05 AM 1120752] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 7:36 PM 173392] . ------- Supplementary Scan ------- . uStart Page = hxxp://www.rr.com/flash/index.cfm uInternet Settings,ProxyServer = http=127.0.0.1:5555 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: LimeShop Preferences - file://c:\program files\LimeShop\System\Temp\limeshop_script0.htm DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - hxxp://www.evite.com/html/imageUpload/ImageUploader4.cab DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} - hxxp://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2009-12-11 15:51 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B1E4618]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28 \Driver\ACPI -> ACPI.sys @ 0xf75aecb8 \Driver\atapi -> atapi.sys @ 0xf74a0852 \Driver\iaStor -> iaStor.sys @ 0xf74662f0 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7868bb0 PacketIndicateHandler -> NDIS.sys @ 0xf7875a21 SendHandler -> NDIS.sys @ 0xf785387b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(812) c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(880) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(268) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\System32\CTsvcCDA.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\Intel\Intel Application Accelerator\iaantmon.exe c:\windows\system32\cba\pds.exe c:\program files\iolo\Common\Lib\ioloDMVSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe c:\progra~1\Symantec\SYMANT~1\NSCTOP.EXE c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\System32\MsPMSPSv.exe c:\windows\system32\ams_ii\hndlrsvc.exe c:\windows\system32\MsgSys.EXE c:\windows\system32\ams_ii\iao.exe c:\windows\system32\cba\xfr.exe c:\program files\Windows Media Player\WMPNetwk.exe . ************************************************************************** . Completion time: 2009-12-11 16:06:21 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-11 22:06 ComboFix2.txt 2009-12-11 04:17 Pre-Run: 65,775,468,544 bytes free Post-Run: 65,718,759,424 bytes free Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 70B282351C8BAD341374EB52DD42273D
  2. Logfile of HijackThis v1.99.1 Scan saved at 4:10:20 PM, on 12/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\ams_ii\iao.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\explorer.exe C:\Program Files\HiJack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.rr.com/flash/index.cfm"]http://www.rr.com/flash/index.cfm[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url="http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab"]http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab[/url] O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - [url="http://www.creative.com/su/ocx/15030/CTSUEng.cab"]http://www.creative.com/su/ocx/15030/CTSUEng.cab[/url] O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - [url="http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab"]http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab[/url] O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [url="http://lads.myspace.com/upload/MySpaceUploader1006.cab"]http://lads.myspace.com/upload/MySpaceUploader1006.cab[/url] O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - [url="http://www.evite.com/html/imageUpload/ImageUploader5.cab"]http://www.evite.com/html/imageUpload/ImageUploader5.cab[/url] O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - [url="https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab"]https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab[/url] O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - [url="http://www.evite.com/html/imageUpload/ImageUploader4.cab"]http://www.evite.com/html/imageUpload/ImageUploader4.cab[/url] O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - [url="http://cs7b.instantservice.com/jars/customerxsigned40.cab"]http://cs7b.instantservice.com/jars/customerxsigned40.cab[/url] O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [url="http://web1.shutterfly.com/downloads/Uploader.cab"]http://web1.shutterfly.com/downloads/Uploader.cab[/url] O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - [url="http://www.snapfish.com/SnapfishUpload.cab"]http://www.snapfish.com/SnapfishUpload.cab[/url] O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [url="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab"]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - [url="http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab"]http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab[/url] O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url="http://www.creative.com/su/ocx/15030/CTPID.cab"]http://www.creative.com/su/ocx/15030/CTPID.cab[/url] O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Update Service (gupdate1c9a6a9f2595210) (gupdate1c9a6a9f2595210) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\xxxxxx~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  3. Well in the time that I presumed most of the malware had been correctly deleted, I got reinfected, this time while I was playing the online Playdom game app 'Mobsters' through MySpace. I am not sure if this new infection is actually part of the original infection from 2 days ago, or if it is indeed something new (is it possible that someone fouind an exploit in the online Java-based game even though my Java is up-to-date?) Norton Corporate Edition immediately notified me and quarantined/deleted 2 entries (Hacktool.Rootkit rdlA.tmp and rdl16.tmp, however, it didn't prevent my computer from being infected.) This was a different rogue antivirus application (calling itself Internet Security 2010) that took over my computer, locked it up, added 2 entries to my msconfig startup (winupdate86 and IS2010), took over my desktop image, and after I attempted to Safeboot, I got a bluescreen error (this happened 3 separate times while attempting to reboot in Safemode.) I was able to uncheck these 2 apps, delete out the 2 registry entries, and deleted C:\Internet Security 2010 as well. I reran Combofix, it reported a rootkit issue, so I am attaching my logs in the order that they were run: ComboFix log Hijack This log Malwarebytes log Kaspersky log ugghhhhh....I won't be doing anything more on this computer until I get the ok from you guys. Thanks for the assistance.
  4. ComboFix 09-12-10.01 - xxxxxxxxxxxxxxxxxx 12/11/2009 11:05:04.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2591 [GMT -6:00] Running from: c:\documents and settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} file zipped: C:\dcgwhpoh.exe file zipped: C:\ddnany.exe file zipped: C:\dror.exe file zipped: C:\ryiasu.exe file zipped: C:\udhkiixx.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\dcgwhpoh.exe C:\ddnany.exe C:\dror.exe C:\ryiasu.exe C:\udhkiixx.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_WINSTS -------\Service_winsts ((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 ))))))))))))))))))))))))))))))) . 2009-12-10 09:25 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2009-11-18 06:02 . 2009-11-18 06:03 -------- d-----w- c:\program files\Safari 2009-11-18 05:41 . 2009-11-18 06:00 -------- d-----w- c:\program files\iPod 2009-11-18 05:41 . 2009-11-18 06:00 -------- d-----w- c:\program files\iTunes 2009-11-18 05:41 . 2009-11-18 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-11-18 05:38 . 2009-11-18 05:39 -------- d-----w- c:\program files\QuickTime 2009-11-16 23:41 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll 2009-11-16 23:40 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll 2009-11-12 01:32 . 2009-11-12 01:32 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Sony Corporation 2009-11-12 01:30 . 2007-04-05 00:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll 2009-11-12 01:30 . 2007-04-05 00:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll 2009-11-12 01:28 . 2006-06-12 09:30 89264 ----a-w- c:\windows\system32\drivers\DRVMCDB.SYS 2009-11-12 01:28 . 2006-03-17 14:35 5660 ----a-w- c:\windows\system32\drivers\DLACDBHM.SYS 2009-11-12 01:28 . 2006-03-17 11:20 40544 ----a-w- c:\windows\system32\drivers\DRVNDDM.SYS 2009-11-12 01:28 . 2009-11-12 01:28 -------- d-----w- c:\windows\system32\DLA 2009-11-12 01:28 . 2006-06-13 11:20 94263 ----a-w- c:\windows\DLA.EXE 2009-11-12 01:28 . 2006-06-13 11:20 61500 ----a-w- c:\windows\system32\DLAAPI_W.DLL 2009-11-12 01:28 . 2006-03-17 14:34 22684 ----a-w- c:\windows\system32\drivers\DLARTL_N.SYS 2009-11-12 01:28 . 2009-11-12 01:28 -------- d-----w- c:\program files\Sonic 2009-11-12 01:25 . 2009-11-12 01:25 -------- d-----w- c:\program files\Sony 2009-11-12 01:23 . 2009-11-12 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-11 17:16 . 2007-01-20 08:27 -------- d-----w- c:\program files\Symantec AntiVirus 2009-12-11 04:34 . 2009-03-17 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-12-10 08:33 . 2009-03-20 23:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-10 08:32 . 2009-12-10 08:32 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-10 08:20 . 2006-06-09 23:04 -------- d-----w- c:\program files\HiJack This 2009-12-10 05:47 . 2003-11-26 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software 2009-12-10 05:46 . 2003-11-26 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-12-04 23:07 . 2009-03-17 02:39 -------- d-----w- c:\program files\Google 2009-12-03 22:14 . 2009-03-20 23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 22:13 . 2009-03-20 23:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-28 02:00 . 2009-09-25 22:50 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2009-11-25 16:17 . 2009-12-11 16:53 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-11-25 16:17 . 2009-12-11 16:53 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-11-25 16:17 . 2009-12-11 16:53 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe 2009-11-24 16:49 . 2008-01-16 00:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-18 06:57 . 2009-09-03 22:56 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Apple Computer 2009-11-18 06:01 . 2009-11-18 06:01 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2009-11-18 06:00 . 2009-09-03 22:53 -------- d-----w- c:\program files\Common Files\Apple 2009-11-18 05:33 . 2009-11-18 05:33 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-11-15 21:39 . 2009-09-03 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-11-08 20:11 . 2004-06-08 23:38 -------- d-----w- c:\program files\LimeWire 2009-11-04 00:05 . 2009-03-21 19:42 -------- d-----w- c:\program files\Java 2009-11-04 00:04 . 2009-11-04 00:04 152576 ----a-w- c:\documents and settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-10-29 07:45 . 2004-02-06 23:05 916480 ------w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-17 02:15 . 2009-06-19 23:24 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-10-13 10:30 . 2002-08-29 11:00 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2002-08-29 11:00 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2002-08-29 11:00 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-11 10:17 . 2009-03-19 03:07 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-25 22:51 . 2009-06-19 23:24 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-09-25 22:51 . 2009-06-19 23:24 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-09-25 22:51 . 2009-06-19 23:24 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-09-25 22:51 . 2009-05-29 22:27 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-09-25 22:51 . 2009-09-25 22:51 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll 2009-09-25 22:51 . 2009-06-19 23:24 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-09-25 22:51 . 2009-06-19 23:24 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-09-25 22:51 . 2009-06-19 23:24 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-09-25 22:51 . 2009-05-29 22:27 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-09-25 22:51 . 2009-05-29 22:27 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-09-25 22:50 . 2009-09-25 22:50 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys 2009-09-25 22:50 . 2009-05-29 22:27 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-09-25 22:50 . 2009-09-25 22:50 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe 2009-09-25 22:50 . 2009-06-19 23:24 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-09-25 22:50 . 2009-06-19 23:24 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-09-25 22:50 . 2009-06-19 23:24 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-09-25 22:50 . 2009-06-19 23:24 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe 2009-09-25 22:50 . 2009-06-19 23:24 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-09-25 22:50 . 2009-06-19 23:24 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-25 126976] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "CTDVDDET"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-21 198160] c:\documents and settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-18 19:30 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] 2009-09-25 22:50 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2009-12-11 16:52 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] 2003-08-29 09:59 122880 ----a-w- c:\windows\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] 2003-09-10 20:47 61440 ----a-w- c:\dell\BLDBUBG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] 2006-08-11 19:56 17920 ----a-w- c:\windows\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] 2006-08-11 19:56 18944 ----a-w- c:\windows\SYSTEM32\CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg] 2006-08-11 19:53 42496 ----a-w- c:\windows\SYSTEM32\CTXFIREG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] 2008-06-12 15:00 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient] 2004-05-28 01:05 323584 ----a-w- c:\program files\Common Files\Dell\EUSW\Support.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWITOOLBOX] 2003-07-24 06:28 290816 ----a-w- c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-10-29 02:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] 2003-06-18 18:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2008-06-23 15:05 244208 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-17 15:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-03-21 16:07 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\hub.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\lightwav.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\modeler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/31/2009 9:07 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [1/2/2009 6:41 PM 335240] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/2/2009 6:05 PM 297752] S2 gupdate1c9a6a9f2595210;Google Update Service (gupdate1c9a6a9f2595210);c:\program files\Google\Update\GoogleUpdate.exe [3/16/2009 8:41 PM 133104] S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [6/23/2008 9:08 AM 362992] S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [6/23/2008 9:06 AM 309744] S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [6/23/2008 9:06 AM 166384] S2 SessionLauncher;SessionLauncher;c:\docume~1\xxxxxx~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\BARRYF~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1028432] S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [6/23/2008 9:08 AM 313840] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/23/2008 9:05 AM 1120752] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 7:36 PM 173392] . ------- Supplementary Scan ------- . uStart Page = hxxp://www.rr.com/flash/index.cfm uInternet Settings,ProxyServer = http=127.0.0.1:5555 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: LimeShop Preferences - file://c:\program files\LimeShop\System\Temp\limeshop_script0.htm DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - hxxp://www.evite.com/html/imageUpload/ImageUploader4.cab DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} - hxxp://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2009-12-11 11:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(808) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(524) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\WinRAR\rarext.dll c:\program files\Roxio\Virtual Drive 10\DC_ShellExt.dll c:\program files\Malwarebytes' Anti-Malware\mbamext.dll c:\program files\Common Files\Symantec Shared\SSC\vpshell2.dll c:\program files\Lavasoft\Ad-Aware\ShellExt.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\System32\CTsvcCDA.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Intel\Intel Application Accelerator\iaantmon.exe c:\windows\system32\cba\pds.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\iolo\Common\Lib\ioloDMVSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe c:\progra~1\Symantec\SYMANT~1\NSCTOP.EXE c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\System32\MsPMSPSv.exe c:\windows\system32\ams_ii\hndlrsvc.exe c:\windows\system32\MsgSys.EXE c:\windows\system32\ams_ii\iao.exe c:\windows\system32\cba\xfr.exe c:\program files\Windows Media Player\WMPNetwk.exe . ************************************************************************** . Completion time: 2009-12-11 11:26:46 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-11 17:26 ComboFix2.txt 2009-12-11 04:17 Pre-Run: 65,852,817,408 bytes free Post-Run: 65,823,268,864 bytes free - - End Of File - - 8AF3C103CF47C613901743F8442CE18F
  5. Thanks, here you go: ComboFix 09-12-10.01 - xxxxxxxxxxxxxxxxxx 12/10/2009 21:45:08.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2616 [GMT -6:00] Running from: c:\documents and settings\xxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\clrviddc.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 ((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 ))))))))))))))))))))))))))))))) . 2009-12-10 09:25 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2009-12-10 05:02 . 2009-12-10 05:02 156672 ----a-w- C:\dcgwhpoh.exe 2009-12-10 05:02 . 2009-12-10 05:02 52736 ----a-w- C:\ryiasu.exe 2009-12-10 05:02 . 2009-12-10 05:02 111271 ----a-w- C:\udhkiixx.exe 2009-12-10 05:02 . 2009-12-10 05:02 45056 ----a-w- C:\ddnany.exe 2009-12-10 05:02 . 2009-12-10 05:02 30208 ----a-w- C:\dror.exe 2009-11-18 06:02 . 2009-11-18 06:03 -------- d-----w- c:\program files\Safari 2009-11-18 05:41 . 2009-11-18 06:00 -------- d-----w- c:\program files\iPod 2009-11-18 05:41 . 2009-11-18 06:00 -------- d-----w- c:\program files\iTunes 2009-11-18 05:41 . 2009-11-18 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-11-18 05:38 . 2009-11-18 05:39 -------- d-----w- c:\program files\QuickTime 2009-11-16 23:41 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll 2009-11-16 23:40 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll 2009-11-12 01:32 . 2009-11-12 01:32 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Sony Corporation 2009-11-12 01:30 . 2007-04-05 00:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll 2009-11-12 01:30 . 2007-04-05 00:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll 2009-11-12 01:28 . 2006-06-12 09:30 89264 ----a-w- c:\windows\system32\drivers\DRVMCDB.SYS 2009-11-12 01:28 . 2006-03-17 14:35 5660 ----a-w- c:\windows\system32\drivers\DLACDBHM.SYS 2009-11-12 01:28 . 2006-03-17 11:20 40544 ----a-w- c:\windows\system32\drivers\DRVNDDM.SYS 2009-11-12 01:28 . 2009-11-12 01:28 -------- d-----w- c:\windows\system32\DLA 2009-11-12 01:28 . 2006-06-13 11:20 94263 ----a-w- c:\windows\DLA.EXE 2009-11-12 01:28 . 2006-06-13 11:20 61500 ----a-w- c:\windows\system32\DLAAPI_W.DLL 2009-11-12 01:28 . 2006-03-17 14:34 22684 ----a-w- c:\windows\system32\drivers\DLARTL_N.SYS 2009-11-12 01:28 . 2009-11-12 01:28 -------- d-----w- c:\program files\Sonic 2009-11-12 01:25 . 2009-11-12 01:25 -------- d-----w- c:\program files\Sony 2009-11-12 01:23 . 2009-11-12 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-11 03:56 . 2007-01-20 08:27 -------- d-----w- c:\program files\Symantec AntiVirus 2009-12-10 08:33 . 2009-03-20 23:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-10 08:32 . 2009-12-10 08:32 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-10 08:20 . 2006-06-09 23:04 -------- d-----w- c:\program files\HiJack This 2009-12-10 05:47 . 2003-11-26 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software 2009-12-10 05:46 . 2003-11-26 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-12-10 03:33 . 2009-03-17 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-12-04 23:07 . 2009-03-17 02:39 -------- d-----w- c:\program files\Google 2009-12-03 22:14 . 2009-03-20 23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 22:13 . 2009-03-20 23:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-28 02:00 . 2009-09-25 22:50 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2009-11-24 16:49 . 2008-01-16 00:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-18 06:57 . 2009-09-03 22:56 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Apple Computer 2009-11-18 06:01 . 2009-11-18 06:01 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2009-11-18 06:00 . 2009-09-03 22:53 -------- d-----w- c:\program files\Common Files\Apple 2009-11-18 05:33 . 2009-11-18 05:33 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-11-15 21:39 . 2009-09-03 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-11-08 20:11 . 2004-06-08 23:38 -------- d-----w- c:\program files\LimeWire 2009-11-04 00:05 . 2009-03-21 19:42 -------- d-----w- c:\program files\Java 2009-11-04 00:04 . 2009-11-04 00:04 152576 ----a-w- c:\documents and settings\xxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-10-29 07:45 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-17 02:15 . 2009-06-19 23:24 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-10-13 10:30 . 2002-08-29 11:00 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2002-08-29 11:00 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2002-08-29 11:00 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-11 10:17 . 2009-03-19 03:07 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-25 22:51 . 2009-06-19 23:24 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-09-25 22:51 . 2009-06-19 23:24 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-09-25 22:51 . 2009-06-19 23:24 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-09-25 22:51 . 2009-05-29 22:27 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-09-25 22:51 . 2009-09-25 22:51 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll 2009-09-25 22:51 . 2009-06-19 23:24 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-09-25 22:51 . 2009-06-19 23:24 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-09-25 22:51 . 2009-06-19 23:24 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-09-25 22:51 . 2009-05-29 22:27 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-09-25 22:51 . 2009-05-29 22:27 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-09-25 22:50 . 2009-09-25 22:50 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys 2009-09-25 22:50 . 2009-05-29 22:27 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-09-25 22:50 . 2009-09-25 22:50 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe 2009-09-25 22:50 . 2009-06-19 23:24 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-09-25 22:50 . 2009-06-19 23:24 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-09-25 22:50 . 2009-06-19 23:24 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-09-25 22:50 . 2009-06-19 23:24 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe 2009-09-25 22:50 . 2009-06-19 23:24 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-09-25 22:50 . 2009-06-19 23:24 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-25 126976] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "CTDVDDET"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-21 198160] c:\documents and settings\xxxxxxxxxxxxxxxx.D4G6V31.000\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-18 19:30 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] 2009-09-25 22:50 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2009-11-25 16:17 2029336 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] 2003-08-29 09:59 122880 ----a-w- c:\windows\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] 2003-09-10 20:47 61440 ----a-w- c:\dell\BLDBUBG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] 2006-08-11 19:56 17920 ----a-w- c:\windows\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] 2006-08-11 19:56 18944 ----a-w- c:\windows\SYSTEM32\CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg] 2006-08-11 19:53 42496 ----a-w- c:\windows\SYSTEM32\CTXFIREG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] 2008-06-12 15:00 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient] 2004-05-28 01:05 323584 ----a-w- c:\program files\Common Files\Dell\EUSW\Support.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWITOOLBOX] 2003-07-24 06:28 290816 ----a-w- c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-10-29 02:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] 2003-06-18 18:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2008-06-23 15:05 244208 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-17 15:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-03-21 16:07 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\hub.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\lightwav.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\modeler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/31/2009 9:07 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [1/2/2009 6:41 PM 335240] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/2/2009 6:05 PM 297752] S2 gupdate1c9a6a9f2595210;Google Update Service (gupdate1c9a6a9f2595210);c:\program files\Google\Update\GoogleUpdate.exe [3/16/2009 8:41 PM 133104] S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [6/23/2008 9:08 AM 362992] S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [6/23/2008 9:06 AM 309744] S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [6/23/2008 9:06 AM 166384] S2 SessionLauncher;SessionLauncher;c:\docume~1\xxxxxx~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\xxxxxx~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1028432] S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [6/23/2008 9:08 AM 313840] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/23/2008 9:05 AM 1120752] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 7:36 PM 173392] S3 winsts;winsts;\??\c:\windows\system32\winsts.sys --> c:\windows\system32\winsts.sys [?] . ------- Supplementary Scan ------- . uStart Page = hxxp://www.rr.com/flash/index.cfm uInternet Settings,ProxyServer = http=127.0.0.1:5555 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: LimeShop Preferences - file://c:\program files\LimeShop\System\Temp\limeshop_script0.htm DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - hxxp://www.evite.com/html/imageUpload/ImageUploader4.cab DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} - hxxp://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab . - - - - ORPHANS REMOVED - - - - SafeBoot-AVG Anti-Spyware Driver SafeBoot-AVG Anti-Spyware Guard AddRemove-HijackThis - c:\docume~1\xxxxxx~1.000\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2009-12-10 22:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(816) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3548) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\System32\CTsvcCDA.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Intel\Intel Application Accelerator\iaantmon.exe c:\windows\system32\cba\pds.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\iolo\Common\Lib\ioloDMVSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe c:\progra~1\Symantec\SYMANT~1\NSCTOP.EXE c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\System32\MsPMSPSv.exe c:\windows\system32\ams_ii\hndlrsvc.exe c:\windows\system32\MsgSys.EXE c:\windows\system32\ams_ii\iao.exe c:\windows\system32\cba\xfr.exe c:\program files\Windows Media Player\WMPNetwk.exe . ************************************************************************** . Completion time: 2009-12-10 22:17:59 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-11 04:17 Pre-Run: 66,066,202,624 bytes free Post-Run: 65,963,925,504 bytes free - - End Of File - - AF3AB93C7EB9C1598ED59699A348C273
  6. After uploading my Hijack This log, I updated and ran Malwarebytes Anti-Malware which found 27 infections in 'fast scan': Malwarebytes' Anti-Malware 1.42 Database version: 3289 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/10/2009 2:43:22 AM mbam-log-2009-12-10 (02-43-22).txt Scan type: Quick Scan Objects scanned: 140275 Time elapsed: 8 minute(s), 11 second(s) Memory Processes Infected: 1 Memory Modules Infected: 2 Registry Keys Infected: 4 Registry Values Infected: 8 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 12 Memory Processes Infected: C:\WINDOWS\SYSTEM32\FastNetSrv.exe (Backdoor.Bot) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\SYSTEM32\curslib.dll (Spyware.Passwords) -> Delete on reboot. c:\WINDOWS\SYSTEM32\6to4v32.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\winsts.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\wincert.dll (Spyware.Passwords) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\curslib.dll (Spyware.Passwords) -> Delete on reboot. C:\WINDOWS\SYSTEM32\BtwSrv.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\6to4v32.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\flags.ini (Malware.Trace) -> Delete on reboot. C:\WINDOWS\SYSTEM32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.
  7. Originally my computer appeared to be infected and would not let me open IE8, msconfig, task manager, or right click on any application. It would also redirect my homepage to it's own site. I was also unable to run Hijack this without being in Safemode first. I managed to locate a suspicious 'startup' file called nuldsysguard which I went into the registry editor and manually deleted as well as the actual application in C\programs. Here is the latest Hijack This log, I am able to get back on IE8 and everything appears to be running normally, but would you please check this to ensure that I have completely deleted this (or any other) infection? Logfile of HijackThis v1.99.1 Scan saved at 2:20:49 AM, on 12/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\FastNetSrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\ams_ii\iao.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HiJack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.rr.com/flash/index.cfm"]http://www.rr.com/flash/index.cfm[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url="http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab"]http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab[/url] O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - [url="http://www.creative.com/su/ocx/15030/CTSUEng.cab"]http://www.creative.com/su/ocx/15030/CTSUEng.cab[/url] O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - [url="http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab"]http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab[/url] O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [url="http://lads.myspace.com/upload/MySpaceUploader1006.cab"]http://lads.myspace.com/upload/MySpaceUploader1006.cab[/url] O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - [url="http://www.evite.com/html/imageUpload/ImageUploader5.cab"]http://www.evite.com/html/imageUpload/ImageUploader5.cab[/url] O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - [url="https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab"]https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab[/url] O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - [url="http://www.evite.com/html/imageUpload/ImageUploader4.cab"]http://www.evite.com/html/imageUpload/ImageUploader4.cab[/url] O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - [url="http://cs7b.instantservice.com/jars/customerxsigned40.cab"]http://cs7b.instantservice.com/jars/customerxsigned40.cab[/url] O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [url="http://web1.shutterfly.com/downloads/Uploader.cab"]http://web1.shutterfly.com/downloads/Uploader.cab[/url] O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - [url="http://www.snapfish.com/SnapfishUpload.cab"]http://www.snapfish.com/SnapfishUpload.cab[/url] O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [url="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab"]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - [url="http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab"]http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab[/url] O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url="http://www.creative.com/su/ocx/15030/CTPID.cab"]http://www.creative.com/su/ocx/15030/CTPID.cab[/url] O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe O23 - Service: Google Update Service (gupdate1c9a6a9f2595210) (gupdate1c9a6a9f2595210) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\xxxxxx~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  8. Recently, I was assisted by the kind folks at Lavasoft in cleaning my computer and one of the final recommendations was to download and install MVPS Hosts to redirect advertising when surfing on the internet. Upon running Ad-Aware tonight, I received 2 suspicious logs: Name: Type Cat Object Redirected hostfile entry | Hosts file | Misc | 127.0.0.1 dl.jiangmin.com #[Adware-BDSearch.dr]127.0.0.1 Redirected hostfile entry | Hosts file | Misc | 127.0.0.1 ms-mvp.org127.0.0.1 Upon searching MVPS Hosts website, it mentions dl.jiangmin.com as being a commonly reported false positive, however, I was unable to find information on the other one. Can you confirm if these can be ignored or should they be deleted? Thanks in advance.
  9. Attempted to fix it using HiJack This, but I receive an error message: An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\\WINDOWS\System32\telonapi.dll) Error #5 - Invalid procedure call or arguement Howerer, when I attempted to rerun HiJack This, 'O20 - AppInit_DLLs: C:\WINDOWS\system32\telonapi.dll' it appears to no longer be there. New HJT log: Logfile of HijackThis v1.99.1 Scan saved at 12:50:18 PM, on 3/21/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\ams_ii\iao.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HiJack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://preview.evite.com/js/ImageUploader5.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader4.cab O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Update Service (gupdate1c9a6a9f2595210) (gupdate1c9a6a9f2595210) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  10. Logfile of HijackThis v1.99.1 Scan saved at 10:58:45 AM, on 3/21/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\ams_ii\iao.exe C:\WINDOWS\system32\cba\xfr.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HiJack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://preview.evite.com/js/ImageUploader5.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader4.cab O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\telonapi.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Update Service (gupdate1c9a6a9f2595210) (gupdate1c9a6a9f2595210) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  11. MBAM notes: Malwarebytes' Anti-Malware 1.34 Database version: 1879 Windows 5.1.2600 Service Pack 3 3/20/2009 6:36:14 PM mbam-log-2009-03-20 (18-36-14).txt Scan type: Quick Scan Objects scanned: 88906 Time elapsed: 5 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\winlogon.ini (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. Kaspersky Notes: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, March 20, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, March 21, 2009 00:55:02 Records in database: 1942597 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ Scan statistics: Files scanned: 105011 Threat name: 2 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 02:50:28 File name / Threat name / Threats count C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hikebaga.dll.vir Infected: Trojan.Win32.Monder.bqgv 1 The selected area was scanned.
  12. ComboFix 09-03-18.01 - Owner 2009-03-20 7:57:00.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2696 [GMT -5:00] Running from: c:\documents and settings\Owner.D4G6V31.000\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner.D4G6V31.000\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\SYSTEM32\jeziluku.dll c:\windows\SYSTEM32\sosazeri.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ACJNNVJB -------\Service_ACJNNVJB ((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 ))))))))))))))))))))))))))))))) . 2009-03-18 22:16 . 2009-03-18 22:16 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl 2009-03-18 22:07 . 2009-03-18 22:16 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll 2009-03-16 21:39 . 2009-03-16 21:42 <DIR> d-------- c:\program files\Google 2009-03-16 21:39 . 2009-03-19 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-20 12:53 --------- d-----w c:\program files\Symantec AntiVirus 2009-03-19 03:11 --------- d-----w c:\program files\Java 2009-02-22 05:09 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-02-17 04:08 --------- d-----w c:\documents and settings\Owner.D4G6V31.000\Application Data\Move Networks 2009-02-03 00:05 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-02-03 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2007-06-19 04:55 24,192 ----a-w c:\documents and settings\Owner.D4G6V31.000\usbsermptxp.sys 2007-06-19 04:55 22,768 ----a-w c:\documents and settings\Owner.D4G6V31.000\usbsermpt.sys 2007-02-11 06:30 910 ---ha-w c:\documents and settings\Owner.D4G6V31.000\hpothb07.dat 2007-02-11 06:29 815 ---ha-w c:\documents and settings\All Users\hpothb07.dat 2004-05-30 17:02 0 ---ha-w c:\documents and settings\Owner.D4G6V31\hpothb07.dat 2004-05-30 16:52 7,547 ---ha-w c:\documents and settings\Owner\hpothb07.dat 2003-12-14 00:31 12,492,832 ---h--r c:\documents and settings\Owner\SYSTEM.DAT 2003-12-14 00:31 1,884,192 ---h--r c:\documents and settings\Owner\USER.DAT 2003-02-28 22:35 6,550 ----a-w c:\documents and settings\Owner\JAUTOEXP.DAT 2001-05-05 17:39 311,328 ---h--r c:\documents and settings\Owner\HWINFO.DAT 2000-07-06 04:57 9,238 ----a-w c:\documents and settings\Owner\hh.dat 1999-11-23 03:42 16,384 ----a-w c:\documents and settings\Owner\MSIMGSIZ.DAT 1999-06-13 18:04 907 ----a-w c:\documents and settings\Owner\EReg072.dat 1999-05-21 21:37 30 ----a-w c:\documents and settings\Owner\INTURS.DAT . ((((((((((((((((((((((((((((( [email protected]_19.00.55.25 ))))))))))))))))))))))))))))))))))))))))) . + 2009-03-20 13:03:45 16,384 ----atw c:\windows\temp\Perflib_Perfdata_12c.dat + 2009-03-20 13:03:42 16,384 ----atw c:\windows\temp\Perflib_Perfdata_73c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-25 126976] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 66680] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "CTDVDDET"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-18 148888] "CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\SYSTEM32\CTHELPER.EXE] "AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\SYSTEM32\ctasio.dll] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-02 19:05 10520 c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\telonapi.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu] /L:ENG [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] --a------ 2009-02-02 19:05 1601304 c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] --a------ 2003-09-10 15:47 61440 c:\dell\BLDBUBG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a------ 2008-06-12 10:00 113136 c:\program files\Roxio\CinePlayer\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient] --a------ 2004-05-27 20:05 323584 c:\program files\Common Files\Dell\EUSW\Support.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWITOOLBOX] --a------ 2003-07-24 01:28 290816 c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2006-09-11 05:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2003-06-18 13:00 200704 c:\program files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-12-11 00:02 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2008-06-23 10:05 244208 c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2002-04-17 10:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-03-18 11:30 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray] --a------ 2004-08-02 20:36 124232 c:\progra~1\SYMANT~1\VPTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-08-29 04:59 122880 c:\windows\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Symantec AntiVirus"=2 (0x2) "NSCTOP"=2 (0x2) "DefWatch"=2 (0x2) "ccSetMgr"=2 (0x2) "ccPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "avg8wd"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\hub.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\lightwav.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\modeler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-02 325128] R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [2002-08-29 14336] S2 gupdate1c9a6a9f2595210;Google Update Service (gupdate1c9a6a9f2595210);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 133104] S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2008-06-23 362992] S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-06-23 309744] S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-06-23 166384] S2 SessionLauncher;SessionLauncher;c:\docume~1\Owner~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Owner~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe [?] S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2008-06-23 313840] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-06-23 1120752] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-08-02 173392] S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-02 298264] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07506714-b96e-11db-808c-000cf17cb389}] \Shell\AutoRun\command - f:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2009-03-20 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-16 21:39] 2009-03-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 21:41] . - - - - ORPHANS REMOVED - - - - HKLM-Run-rajivinoki - c:\windows\system32\jeziluku.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.rr.com/flash/index.cfm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: LimeShop Preferences - file://c:\program files\LimeShop\System\Temp\limeshop_script0.htm DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - hxxp://www.evite.com/html/imageUpload/ImageUploader4.cab DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} - hxxp://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-20 08:04:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(828) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\ati2evxx.exe c:\windows\SYSTEM32\ati2evxx.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\SYSTEM32\CTSVCCDA.EXE c:\program files\Intel\Intel Application Accelerator\iaantmon.exe c:\windows\SYSTEM32\CBA\PDS.EXE c:\program files\iolo\Common\Lib\ioloDMVSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe c:\windows\SYSTEM32\MsPMSPSv.exe c:\windows\SYSTEM32\AMS_II\HNDLRSVC.EXE c:\windows\SYSTEM32\MSGSYS.EXE c:\windows\SYSTEM32\AMS_II\IAO.EXE c:\windows\SYSTEM32\CBA\XFR.EXE c:\program files\Windows Media Player\wmpnetwk.exe . ************************************************************************** . Completion time: 2009-03-20 8:11:45 - machine was rebooted [Owner] ComboFix-quarantined-files.txt 2009-03-20 13:11:40 ComboFix2.txt 2009-03-20 00:02:09 Pre-Run: 78,705,418,240 bytes free Post-Run: 78,687,502,336 bytes free 209 --- E O F --- 2009-03-14 18:58:48
  13. ComboFix 09-03-18.01 - Owner 2009-03-19 18:43:33.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2740 [GMT -5:00] Running from: c:\documents and settings\Owner.D4G6V31.000\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\program files\INSTALL.LOG c:\windows\IE4 Error Log.txt c:\windows\system32\hikebaga.dll c:\windows\system32\thlwin32.dll ----- BITS: Possible infected sites ----- hxxp://sunmicro.ht.rd.llnw.net . ((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 ))))))))))))))))))))))))))))))) . 2009-03-18 22:16 . 2009-03-18 22:16 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl 2009-03-18 22:07 . 2009-03-18 22:16 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll 2009-03-16 21:39 . 2009-03-16 21:42 <DIR> d-------- c:\program files\Google 2009-03-16 21:39 . 2009-03-18 18:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-19 23:35 --------- d-----w c:\program files\Symantec AntiVirus 2009-03-19 03:11 --------- d-----w c:\program files\Java 2009-02-22 05:09 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-02-17 04:08 --------- d-----w c:\documents and settings\Owner.D4G6V31.000\Application Data\Move Networks 2009-02-03 00:05 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-02-03 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2007-06-19 04:55 24,192 ----a-w c:\documents and settings\Owner.D4G6V31.000\usbsermptxp.sys 2007-06-19 04:55 22,768 ----a-w c:\documents and settings\Owner.D4G6V31.000\usbsermpt.sys 2007-02-11 06:30 910 ---ha-w c:\documents and settings\Owner.D4G6V31.000\hpothb07.dat 2007-02-11 06:29 815 ---ha-w c:\documents and settings\All Users\hpothb07.dat 2004-05-30 17:02 0 ---ha-w c:\documents and settings\Owner.D4G6V31\hpothb07.dat 2004-05-30 16:52 7,547 ---ha-w c:\documents and settings\Owner\hpothb07.dat 2003-12-14 00:31 12,492,832 ---h--r c:\documents and settings\Owner\SYSTEM.DAT 2003-12-14 00:31 1,884,192 ---h--r c:\documents and settings\Owner\USER.DAT 2003-02-28 22:35 6,550 ----a-w c:\documents and settings\Owner\JAUTOEXP.DAT 2001-05-05 17:39 311,328 ---h--r c:\documents and settings\Owner\HWINFO.DAT 2000-07-06 04:57 9,238 ----a-w c:\documents and settings\Owner\hh.dat 1999-11-23 03:42 16,384 ----a-w c:\documents and settings\Owner\MSIMGSIZ.DAT 1999-06-13 18:04 907 ----a-w c:\documents and settings\Owner\EReg072.dat 1999-05-21 21:37 30 ----a-w c:\documents and settings\Owner\INTURS.DAT 1601-01-01 00:12 68,608 --sha-w c:\windows\SYSTEM32\jeziluku.dll 1601-01-01 00:12 109,056 --sha-w c:\windows\SYSTEM32\sosazeri.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-25 126976] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 66680] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "CTDVDDET"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-18 148888] "rajivinoki"="c:\windows\system32\jeziluku.dll" [ 68608] "CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\SYSTEM32\CTHELPER.EXE] "AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\SYSTEM32\ctasio.dll] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-02 19:05 10520 c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\telonapi.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu] /L:ENG [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] --a------ 2009-02-02 19:05 1601304 c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] --a------ 2003-09-10 15:47 61440 c:\dell\BLDBUBG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a------ 2008-06-12 10:00 113136 c:\program files\Roxio\CinePlayer\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient] --a------ 2004-05-27 20:05 323584 c:\program files\Common Files\Dell\EUSW\Support.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWITOOLBOX] --a------ 2003-07-24 01:28 290816 c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2006-09-11 05:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2003-06-18 13:00 200704 c:\program files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-12-11 00:02 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rajivinoki] --ahs---- 68608 c:\windows\SYSTEM32\jeziluku.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2008-06-23 10:05 244208 c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2002-04-17 10:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-03-18 11:30 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray] --a------ 2004-08-02 20:36 124232 c:\progra~1\SYMANT~1\VPTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-08-29 04:59 122880 c:\windows\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Symantec AntiVirus"=2 (0x2) "SNDSrvc"=3 (0x3) "NSCTOP"=2 (0x2) "DefWatch"=2 (0x2) "ccSetMgr"=2 (0x2) "ccPwdSvc"=3 (0x3) "avg8wd"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\hub.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\lightwav.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\modeler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-02 325128] R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [2002-08-29 14336] S2 ACJNNVJB;ACJNNVJB;\??\c:\windows\system32\acjnnvjb.vni --> c:\windows\system32\acjnnvjb.vni [?] S2 gupdate1c9a6a9f2595210;Google Update Service (gupdate1c9a6a9f2595210);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 133104] S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2008-06-23 362992] S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-06-23 309744] S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-06-23 166384] S2 SessionLauncher;SessionLauncher;c:\docume~1\Owner~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Owner~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe [?] S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2008-06-23 313840] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-06-23 1120752] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-08-02 173392] S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-02 298264] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07506714-b96e-11db-808c-000cf17cb389}] \Shell\AutoRun\command - f:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2009-03-19 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-16 21:39] 2009-03-19 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 21:41] . - - - - ORPHANS REMOVED - - - - BHO-{0135a1de-9b20-4cfb-af44-4a055ff3083b} - c:\windows\system32\yobijowu.dll MSConfigStartUp-DLA - c:\windows\System32\DLA\DLACTRLW.EXE MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe MSConfigStartUp-UIUCU - c:\docume~1\Owner~1.000\LOCALS~1\Temp\UIUCU.EXE . ------- Supplementary Scan ------- . uStart Page = hxxp://www.rr.com/flash/index.cfm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: LimeShop Preferences - file://c:\program files\LimeShop\System\Temp\limeshop_script0.htm DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - hxxp://www.evite.com/html/imageUpload/ImageUploader4.cab DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} - hxxp://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-19 18:56:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACJNNVJB] "ImagePath"="\??\c:\windows\system32\acjnnvjb.vni" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\ati2evxx.exe c:\windows\SYSTEM32\ati2evxx.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\SYSTEM32\CTSVCCDA.EXE c:\program files\Intel\Intel Application Accelerator\iaantmon.exe c:\windows\SYSTEM32\CBA\PDS.EXE c:\program files\iolo\Common\Lib\ioloDMVSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe c:\windows\SYSTEM32\MsPMSPSv.exe c:\windows\SYSTEM32\AMS_II\HNDLRSVC.EXE c:\windows\SYSTEM32\MSGSYS.EXE c:\windows\SYSTEM32\AMS_II\IAO.EXE c:\windows\SYSTEM32\CBA\XFR.EXE c:\program files\Windows Media Player\wmpnetwk.exe . ************************************************************************** . Completion time: 2009-03-19 19:02:07 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-20 00:02:01 Pre-Run: 78,534,549,504 bytes free Post-Run: 78,736,789,504 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 224 --- E O F --- 2009-03-14 18:58:48
  14. Received this message at startup as I attempted to log in today: Error loading C:\\WINDOWS\System32\jeziluku.dll Access is denied I immediately checked my System Configuration Utlility and saw: Startup Item: jeziluku Command: Rundl32.exe "C:\WINDOWS\System32\jeziluku.dll",s Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Hijack This Log: Logfile of HijackThis v1.99.1 Scan saved at 11:38:53 PM, on 3/18/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\ams_ii\iao.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm O2 - BHO: (no name) - {0135a1de-9b20-4cfb-af44-4a055ff3083b} - C:\WINDOWS\system32\yobijowu.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [rajivinoki] Rundll32.exe "C:\WINDOWS\system32\jeziluku.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://preview.evite.com/js/ImageUploader5.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader4.cab O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\telonapi.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Update Service (gupdate1c9a6a9f2595210) (gupdate1c9a6a9f2595210) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\BARRYF~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe I am unable to successfully remove it either normally or in Safemode. When I remove any registry keys that have "jeziluku" [i also saw keys with "rajivinoki"] and close out the Registry Editor, it just keeps coming back. I attempted to do a normal search and am unable to find the .dll file in C:\WINDOWS\System32\jeziluku.dll" either. Please help! Also, are all the above processes always running in the background? If so, there are several I would prefer not to be running unless I click on the application. Many do not appear in the Startup menu, so how would I go about deactivating them?