View Full Version : Virtumonde.dll - can't get rid of it
Hello,
First off - thanks a million for helping out.
Spybot has found Virtumonde.dll on my computer and it was unable to remove three of the library files. In the description field it said to go to this forum for help. Here I am!
When it tried to remove the entries it came up with an error that it "failed to load c:]program files\spybot - search_destroy\DelZip179.dll"
I use internet explorer but have completely stopped using it until this problem is resolved. Therefore I'm using a second computer to post this info and this is also why I can't post a Kaspersky log.
I have provided the Trend Micro Hijack log
Can you please help me figure this out as fast as possible - this machine is critical to my business. Thanks!
************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:21 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\adskflex.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Gateway\EzTune\DTHtml.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Documents and Settings\User\Desktop\KnockOut.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\1stWORKS\hotCommCL\BIN\hotComm.exe
C:\Program Files\TradeStation 8.3 (Build 1631)\Program\ORPlat.exe
C:\PROGRA~1\TRADES~2.3(B\Program\ordllhst.exe
C:\PROGRA~1\TRADES~2.3(B\Program\whserver.exe
C:\PROGRA~1\TRADES~2.3(B\Program\orcal.exe
C:\PROGRA~1\TRADES~2.3(B\Program\orclprxy.exe
C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TickShel.EXE
C:\PROGRA~1\TRADES~2.3(B\Program\orchart.exe
C:\PROGRA~1\TRADES~2.3(B\Program\tsrpts.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 168.143.163.89 hcurltest1
O1 - Hosts: 82.165.161.232 hcurltest2
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BM434f52a0] Rundll32.exe "C:\WINDOWS\system32\wqyomtnc.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6314] command /c del "C:\WINDOWS\system32\abndetdj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4097] cmd /c del "C:\WINDOWS\system32\abndetdj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7126] command /c del "C:\WINDOWS\system32\buhjapty.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2417] cmd /c del "C:\WINDOWS\system32\buhjapty.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7134] command /c del "C:\WINDOWS\system32\mnllcohi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3490] cmd /c del "C:\WINDOWS\system32\mnllcohi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3429] command /c del "C:\WINDOWS\system32\ossvupux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC64] cmd /c del "C:\WINDOWS\system32\ossvupux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9078] command /c del "C:\WINDOWS\system32\sdjetxon.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9096] cmd /c del "C:\WINDOWS\system32\sdjetxon.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif
--
End of file - 16726 bytes
Hi Zander
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
I downloaded combo fix, disabled all firewall, antivirus and spyware. Combofix would still not work. I found through trial and error that stopping the attrib.exe process allowed the combofix to start, however I accidently pressed the wrong key when it asked if I agreed to the terms.
It deleted itself and I put it back and tried starting it again, however it now just stops at a blue screen and doesn't go any further.
I found a file it creates called 'bug.txt' but deleting this didn't help either.
Please advise!
Hi
Please try to run in next in safe mode :)
I ran it in safe mode, and this time it worked, however it said it needed to reboot the machine, which it did and when I logged back in a combofix window appeared which displayed a "Please Wait..." screen and wouldn't go any further.
any advice?
ok - sorry, I forgot about your instructions on what to do if it takes longer than 20 minutes.
I stopped the process called sed.cfexe and it continued for a bit, then stopped when the process called FindStr showed up. I stopped that process and it didn't go any further.
What should I do with the open window?
Hi
Try to run combofix in safe mode and when it asks to reboot, reboot back to safe mode and when it's finished boot to normal mode.
thanks - that worked. I've posted the logfile from combofix and hijack this - created in safe mode.
_________
ComboFix 08-05-15.3 - User 2008-05-17 12:48:00.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1740 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bacMnnmp.ini
C:\WINDOWS\system32\bacMnnmp.ini2
C:\WINDOWS\system32\bisykmrk.exe
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\ediuvoof.ini
C:\WINDOWS\system32\fdmcqrhl.exe
C:\WINDOWS\system32\ghkihwbw.ini
C:\WINDOWS\system32\jowisugx.exe
C:\WINDOWS\system32\loruvyxx.ini
C:\WINDOWS\system32\loruvyxx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nequyqgc.ini
C:\WINDOWS\system32\noxtejds.ini
C:\WINDOWS\system32\NWHilnnn.ini
C:\WINDOWS\system32\NWHilnnn.ini2
C:\WINDOWS\system32\oxfsewbo.exe
C:\WINDOWS\system32\prrXycdd.ini
C:\WINDOWS\system32\prrXycdd.ini2
C:\WINDOWS\system32\qkgbglgc.ini
C:\WINDOWS\system32\TwGjPqru.ini
C:\WINDOWS\system32\TwGjPqru.ini2
C:\WINDOWS\system32\vooyohat.exe
C:\WINDOWS\system32\XbKmTtwa.ini
C:\WINDOWS\system32\XbKmTtwa.ini2
C:\WINDOWS\winhelp.ini
.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.
2008-05-17 12:42 . 2008-05-17 12:42 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-17 12:14 . 2008-05-17 12:14 125,952 --a------ C:\WINDOWS\system32\jycuauie.dll
2008-05-17 12:13 . 2008-05-17 12:13 371,712 --a------ C:\WINDOWS\system32\awtTmKbX.dll
2008-05-17 12:08 . 2008-05-17 12:38 354 ---hs---- C:\WINDOWS\system32\dddjfnsb.ini
2008-05-17 10:32 . 2008-05-17 10:32 134,144 --a------ C:\WINDOWS\system32\rnupvjbb.dll
2008-05-17 10:26 . 2008-05-17 10:26 116,224 --a------ C:\WINDOWS\system32\bsnfjddd.dll
2008-05-17 10:23 . 2008-05-17 10:23 371,712 --a------ C:\WINDOWS\system32\urqPjGwT.dll
2008-05-17 10:23 . 2008-05-17 10:23 125,952 --a------ C:\WINDOWS\system32\vidcaxcg.dll
2008-05-17 09:17 . 2008-05-17 09:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 09:17 . 2008-05-17 12:55 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-16 17:05 . 2008-05-16 17:05 135,680 --a------ C:\WINDOWS\system32\hdauvuyy.dll
2008-05-16 16:56 . 2008-05-16 16:56 116,736 --a------ C:\WINDOWS\system32\wbwhikhg.dll
2008-05-16 16:53 . 2008-05-16 16:53 125,952 --a------ C:\WINDOWS\system32\ncbestfw.dll
2008-05-16 16:32 . 2008-05-16 16:32 370,688 --a------ C:\WINDOWS\system32\xxyvurol.dll_old
2008-05-16 14:09 . 2008-05-16 14:09 116,736 --a------ C:\WINDOWS\system32\cgqyuqen.dll
2008-05-16 14:09 . 2008-05-16 14:09 164 --a------ C:\install.dat
2008-05-16 14:06 . 2008-05-16 14:06 135,680 --a------ C:\WINDOWS\system32\rpvvnudr.dll
2008-05-16 14:03 . 2008-05-16 14:03 125,952 --a------ C:\WINDOWS\system32\drrybqup.dll
2008-05-15 22:42 . 2008-05-15 22:42 116,736 --a------ C:\WINDOWS\system32\cglgbgkq.dll
2008-05-15 22:33 . 2008-05-15 22:33 133,120 --a------ C:\WINDOWS\system32\leppuric.dll
2008-05-15 22:30 . 2008-05-15 22:30 125,952 --a------ C:\WINDOWS\system32\wqyomtnc.dll
2008-05-15 19:55 . 2008-05-15 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 19:55 . 2008-05-15 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 02:16 . 2008-05-15 02:16 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-05-14 21:09 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-05-14 21:09 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-05-14 21:08 . 2008-05-15 02:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-14 19:39 . 2008-05-14 21:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-14 09:05 . 2008-05-17 12:38 109,807 --a------ C:\WINDOWS\BM434f52a0.xml
2008-05-13 21:00 . 2008-05-13 21:00 57,856 --a------ C:\WINDOWS\system32\xxyxUoOh.dll
2008-05-13 20:56 . 2008-05-13 20:56 57,856 --a------ C:\WINDOWS\system32\yayXrsqq.dll
2008-05-07 20:45 . 2008-05-07 20:46 8 --a------ C:\WINDOWS\sess_54d502b19f6d90898b7b6a83ac0b83cc
2008-05-07 20:45 . 2008-05-07 20:45 8 --a------ C:\WINDOWS\sess_4aafb38039561bd8bbbb76faec7a2ed9
2008-05-07 20:42 . 2008-05-07 20:42 8 --a------ C:\WINDOWS\sess_83f7cad487d69ca260363d4fef25ecc3
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-05-05 13:15 . 2006-02-06 08:54 24,064 -ra------ C:\WINDOWS\system32\PostProc.dll
2008-05-05 13:14 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-05-05 13:14 . 2005-05-04 09:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-05-05 13:14 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-05-05 13:14 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-05-05 13:13 . 2008-05-05 13:13 19,744 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-04 21:30 . 2008-05-04 21:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-04 21:30 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-02 13:13 . 2008-05-02 13:13 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-01 11:28 . 2008-05-01 11:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-01 11:26 . 2008-05-01 11:26 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-01 11:26 . 2008-05-01 11:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\SWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\PWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\MWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\DWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\CWRKArea.wrk
2008-04-29 18:26 . 2008-05-01 18:37 <DIR> d-------- C:\Program Files\QuickTax Tracker
2008-04-26 11:17 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\TradeStation 8.3 (Build 1631)
2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Program Files\Free Desktop Clock
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 19:39 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-17 19:39 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-05-17 16:24 --------- d-----w C:\Program Files\Webroot
2008-05-17 16:24 --------- d-----w C:\Documents and Settings\User\Application Data\Webroot
2008-05-16 21:10 1,518 ----a-w C:\WINDOWS\win.tmp
2008-05-16 21:02 --------- d-----w C:\Program Files\TradeStation Archives
2008-05-16 14:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 16:04 --------- d-----w C:\Program Files\eSignal Pro
2008-05-05 20:14 --------- d-----w C:\Program Files\Analog Devices
2008-05-05 05:40 --------- d-----w C:\Program Files\CASHFLOW
2008-05-02 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-02 20:13 --------- d-----w C:\Program Files\TechSmith
2008-05-02 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 13:09 --------- d-----w C:\Program Files\iTunes
2008-04-07 13:08 --------- d-----w C:\Program Files\iPod
2008-04-07 13:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:28 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-29 00:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 00:41 --------- d-----w C:\Program Files\EA Sports
2008-03-19 23:00 --------- d-----w C:\Documents and Settings\User\Application Data\1clickPro
2006-12-13 20:15 2,233 ----a-w C:\Documents and Settings\User\Application Data\SAS7_000.DAT
2006-11-17 01:01 162 ---h--w C:\Program Files\Common Files\client.lcs
2006-11-17 00:59 226 ---h--w C:\Program Files\Common Files\server.lcs
2006-10-19 03:28 461 ----a-w C:\Program Files\INSTALL.LOG
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-11-13 21:03 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A46B99-2DB8-4D39-8B46-7E37174EB02F}]
2008-05-17 10:23 371712 --a------ C:\WINDOWS\system32\urqPjGwT.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{099038AC-1FC7-4619-849D-45DEE1D155CE}]
C:\WINDOWS\system32\xxyvurol.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2611CFD4-4DAE-48CB-A234-323AE57749F9}]
C:\WINDOWS\system32\nnnliHWN.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DA4C41A-AE0E-45FD-9A29-DC76FA5C9C13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DAD26CA-7E56-4196-B903-D57C23A5C154}]
C:\WINDOWS\system32\pmnnMcab.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7620844-936C-4D0E-8AF9-BD661F8D2B78}]
C:\WINDOWS\system32\ddcyXrrp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A88B91F1-745B-425D-BFD5-79622FB871AD}]
2008-05-17 12:13 371712 --a------ C:\WINDOWS\system32\awtTmKbX.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce0f979b-e892-4170-83c8-c6304e89e7c7}]
2008-05-17 10:32 134144 --a------ C:\WINDOWS\system32\rnupvjbb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]
2008-05-13 20:56 57856 --a------ C:\WINDOWS\system32\yayXrsqq.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 07:21 103760]
[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44 894464]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 20:50 492808]
"PowerBar"="" []
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50 334848]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Program Files\Webroot\Washer\WashIdx.exe" [2005-04-07 13:45 51200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-12-27 18:01 1544099]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 01:45 385024]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 00:55 57344]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 02:25 591360]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-08-22 12:46 1422848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440]
"CmPCIaudio"="CMICNFG3.CPL" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 03:07 843776]
"407c613c"="C:\WINDOWS\system32\bsnfjddd.dll" [2008-05-17 10:26 116224]
"BM434f52a0"="C:\WINDOWS\system32\jycuauie.dll" [2008-05-17 12:14 125952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]
C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-04 21:30:00 546816]
network.bat [2008-03-28 17:34:28 62]
Shortcut to KnockOut.lnk - C:\Documents and Settings\User\Desktop\KnockOut.exe [2002-12-16 20:22:42 83968]
ęTorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2006-07-02 09:29:46 219952]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-09 12:05:16 25214]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 00:55:04 57344]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-04 21:43:54 11000]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-22 16:31:03 651264]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2006-10-22 16:03:40 57344]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"= C:\WINDOWS\system32\yayXrsqq.dll [2008-05-13 20:56 57856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXrsqq]
yayXrsqq.dll 2008-05-13 20:56 57856 C:\WINDOWS\system32\yayXrsqq.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo1"= CSvidcap.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"C:\\Program Files\\eSignal Pro\\winros.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\ORPlat.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\TickShel.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:bittorrent 6881
"6882:TCP"= 6882:TCP:*:Disabled:bittorrent 6882
"6883:TCP"= 6883:TCP:*:Disabled:bittorrent 6883
"6884:TCP"= 6884:TCP:*:Disabled:bittorrent 6884
"6888:TCP"= 6888:TCP:*:Disabled:6888 Utorrent
S2 Flexlm Service 1;Flexlm Service 1;C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe [2006-05-29 18:22]
S2 RaySat_3dsmax8Server;RaySat_3dsmax8 Server;C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe [2006-03-24 15:55]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 21:28]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 IndieVolume;IndieVolume Service;C:\Program Files\IndieVolume\IndieVolume.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 04:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 21:03:16 C:\WINDOWS\Tasks\TradeStation Backup - Monthly.job"
- C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TSBackupRestore.exeT/Backup C:\Program Files\TradeStation 8.3 (Build 1631)\Templates\Backup\Monthly.tsb7C:\Program Files\TradeStation 8.3 (Build 1631)\Program
"2007-04-28 01:22:17 C:\WINDOWS\Tasks\Update iTunes music library.job"
- C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\itunes library updater\iTLU.bat
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 12:55:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\yayXrsqq.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-17 13:02:02 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-05-17 20:01:31
Pre-Run: 42,053,185,536 bytes free
Post-Run: 42,034,343,936 bytes free
294 --- E O F --- 2008-05-17 19:44:31
********************
HIJACK THIS LOG
********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:32 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {05A46B99-2DB8-4D39-8B46-7E37174EB02F} - C:\WINDOWS\system32\urqPjGwT.dll
O2 - BHO: (no name) - {099038AC-1FC7-4619-849D-45DEE1D155CE} - C:\WINDOWS\system32\xxyvurol.dll (file missing)
O2 - BHO: (no name) - {2611CFD4-4DAE-48CB-A234-323AE57749F9} - C:\WINDOWS\system32\nnnliHWN.dll (file missing)
O2 - BHO: (no name) - {3DA4C41A-AE0E-45FD-9A29-DC76FA5C9C13} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6DAD26CA-7E56-4196-B903-D57C23A5C154} - C:\WINDOWS\system32\pmnnMcab.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A7620844-936C-4D0E-8AF9-BD661F8D2B78} - C:\WINDOWS\system32\ddcyXrrp.dll (file missing)
O2 - BHO: (no name) - {A88B91F1-745B-425D-BFD5-79622FB871AD} - C:\WINDOWS\system32\awtTmKbX.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: {7c7e98e4-036c-8c38-0714-298eb979f0ec} - {ce0f979b-e892-4170-83c8-c6304e89e7c7} - C:\WINDOWS\system32\rnupvjbb.dll
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - C:\WINDOWS\system32\yayXrsqq.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [407c613c] rundll32.exe "C:\WINDOWS\system32\bsnfjddd.dll",b
O4 - HKLM\..\Run: [BM434f52a0] Rundll32.exe "C:\WINDOWS\system32\jycuauie.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "User"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayXrsqq - C:\WINDOWS\SYSTEM32\yayXrsqq.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif
--
End of file - 13402 bytes
Hi
That's great :)
If instructions fail in normal, please try them in safe mode.
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\jycuauie.dll
C:\WINDOWS\system32\awtTmKbX.dll
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\rnupvjbb.dll
C:\WINDOWS\system32\bsnfjddd.dll
C:\WINDOWS\system32\urqPjGwT.dll
C:\WINDOWS\system32\vidcaxcg.dll
C:\WINDOWS\system32\hdauvuyy.dll
C:\WINDOWS\system32\wbwhikhg.dll
C:\WINDOWS\system32\ncbestfw.dll
C:\WINDOWS\system32\xxyvurol.dll_old
C:\WINDOWS\system32\cgqyuqen.dll
C:\WINDOWS\system32\rpvvnudr.dll
C:\WINDOWS\system32\drrybqup.dll
C:\WINDOWS\system32\cglgbgkq.dll
C:\WINDOWS\system32\leppuric.dll
C:\WINDOWS\system32\wqyomtnc.dll
C:\WINDOWS\BM434f52a0.xml
C:\WINDOWS\system32\xxyxUoOh.dll
C:\WINDOWS\system32\yayXrsqq.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A46B99-2DB8-4D39-8B46-7E37174EB02F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{099038AC-1FC7-4619-849D-45DEE1D155CE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2611CFD4-4DAE-48CB-A234-323AE57749F9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DA4C41A-AE0E-45FD-9A29-DC76FA5C9C13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DAD26CA-7E56-4196-B903-D57C23A5C154}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7620844-936C-4D0E-8AF9-BD661F8D2B78}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A88B91F1-745B-425D-BFD5-79622FB871AD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce0f979b-e892-4170-83c8-c6304e89e7c7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"407c613c"=-
"BM434f52a0"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXrsqq]
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Thanks... I had to run it in Safe Mode, but it worked :laugh:
I've posted results of the ComboFix.txt and HijackThis below:
***************************
ComboFix 08-05-15.3 - User 2008-05-17 13:35:58.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1733 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BM434f52a0.xml
C:\WINDOWS\system32\awtTmKbX.dll
C:\WINDOWS\system32\bsnfjddd.dll
C:\WINDOWS\system32\cglgbgkq.dll
C:\WINDOWS\system32\cgqyuqen.dll
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\drrybqup.dll
C:\WINDOWS\system32\hdauvuyy.dll
C:\WINDOWS\system32\jycuauie.dll
C:\WINDOWS\system32\leppuric.dll
C:\WINDOWS\system32\ncbestfw.dll
C:\WINDOWS\system32\rnupvjbb.dll
C:\WINDOWS\system32\rpvvnudr.dll
C:\WINDOWS\system32\urqPjGwT.dll
C:\WINDOWS\system32\vidcaxcg.dll
C:\WINDOWS\system32\wbwhikhg.dll
C:\WINDOWS\system32\wqyomtnc.dll
C:\WINDOWS\system32\xxyvurol.dll_old
C:\WINDOWS\system32\xxyxUoOh.dll
C:\WINDOWS\system32\yayXrsqq.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\BM434f52a0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtTmKbX.dll
C:\WINDOWS\system32\bsnfjddd.dll
C:\WINDOWS\system32\cglgbgkq.dll
C:\WINDOWS\system32\cgqyuqen.dll
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\drrybqup.dll
C:\WINDOWS\system32\hdauvuyy.dll
C:\WINDOWS\system32\IjlVDcfe.ini
C:\WINDOWS\system32\IjlVDcfe.ini2
C:\WINDOWS\system32\jycuauie.dll
C:\WINDOWS\system32\leppuric.dll
C:\WINDOWS\system32\ncbestfw.dll
C:\WINDOWS\system32\rnupvjbb.dll
C:\WINDOWS\system32\rpvvnudr.dll
C:\WINDOWS\system32\urqPjGwT.dll
C:\WINDOWS\system32\vidcaxcg.dll
C:\WINDOWS\system32\wbwhikhg.dll
C:\WINDOWS\system32\wqyomtnc.dll
C:\WINDOWS\system32\xxyvurol.dll_old
C:\WINDOWS\system32\xxyxUoOh.dll
C:\WINDOWS\system32\yayXrsqq.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.
2008-05-17 13:19 . 2008-05-17 13:19 371,712 --a------ C:\WINDOWS\system32\efcDVljI.dll
2008-05-17 09:17 . 2008-05-17 09:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 09:17 . 2008-05-17 13:44 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-16 14:09 . 2008-05-16 14:09 164 --a------ C:\install.dat
2008-05-15 19:55 . 2008-05-15 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 19:55 . 2008-05-15 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 02:16 . 2008-05-15 02:16 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-05-14 21:09 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-05-14 21:09 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-05-14 21:08 . 2008-05-15 02:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-14 19:39 . 2008-05-14 21:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-07 20:45 . 2008-05-07 20:46 8 --a------ C:\WINDOWS\sess_54d502b19f6d90898b7b6a83ac0b83cc
2008-05-07 20:45 . 2008-05-07 20:45 8 --a------ C:\WINDOWS\sess_4aafb38039561bd8bbbb76faec7a2ed9
2008-05-07 20:42 . 2008-05-07 20:42 8 --a------ C:\WINDOWS\sess_83f7cad487d69ca260363d4fef25ecc3
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-05-05 13:15 . 2006-02-06 08:54 24,064 -ra------ C:\WINDOWS\system32\PostProc.dll
2008-05-05 13:14 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-05-05 13:14 . 2005-05-04 09:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-05-05 13:14 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-05-05 13:14 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-05-05 13:13 . 2008-05-05 13:13 19,744 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-04 21:30 . 2008-05-04 21:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-04 21:30 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-02 13:13 . 2008-05-02 13:13 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-01 11:28 . 2008-05-01 11:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-01 11:26 . 2008-05-01 11:26 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-01 11:26 . 2008-05-01 11:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\SWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\PWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\MWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\DWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\CWRKArea.wrk
2008-04-29 18:26 . 2008-05-01 18:37 <DIR> d-------- C:\Program Files\QuickTax Tracker
2008-04-26 11:17 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\TradeStation 8.3 (Build 1631)
2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Program Files\Free Desktop Clock
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 20:31 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-17 20:17 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-05-17 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 16:24 --------- d-----w C:\Program Files\Webroot
2008-05-17 16:24 --------- d-----w C:\Documents and Settings\User\Application Data\Webroot
2008-05-16 21:10 1,518 ----a-w C:\WINDOWS\win.tmp
2008-05-16 21:02 --------- d-----w C:\Program Files\TradeStation Archives
2008-05-16 14:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 16:04 --------- d-----w C:\Program Files\eSignal Pro
2008-05-05 20:14 --------- d-----w C:\Program Files\Analog Devices
2008-05-05 05:40 --------- d-----w C:\Program Files\CASHFLOW
2008-05-02 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-02 20:13 --------- d-----w C:\Program Files\TechSmith
2008-05-02 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 13:09 --------- d-----w C:\Program Files\iTunes
2008-04-07 13:08 --------- d-----w C:\Program Files\iPod
2008-04-07 13:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:28 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-29 00:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 00:41 --------- d-----w C:\Program Files\EA Sports
2008-03-19 23:00 --------- d-----w C:\Documents and Settings\User\Application Data\1clickPro
2006-12-13 20:15 2,233 ----a-w C:\Documents and Settings\User\Application Data\SAS7_000.DAT
2006-11-17 01:01 162 ---h--w C:\Program Files\Common Files\client.lcs
2006-11-17 00:59 226 ---h--w C:\Program Files\Common Files\server.lcs
2006-10-19 03:28 461 ----a-w C:\Program Files\INSTALL.LOG
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-11-13 21:03 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-17_13.00.41.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:54:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 20:44:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21815876-69E6-402A-9C03-032CD06F1AFC}]
2008-05-17 13:19 371712 --a------ C:\WINDOWS\system32\efcDVljI.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 07:21 103760]
[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44 894464]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 20:50 492808]
"PowerBar"="" []
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50 334848]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Program Files\Webroot\Washer\WashIdx.exe" [2005-04-07 13:45 51200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-12-27 18:01 1544099]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 01:45 385024]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 00:55 57344]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 02:25 591360]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-08-22 12:46 1422848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440]
"CmPCIaudio"="CMICNFG3.CPL" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 03:07 843776]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]
C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-04 21:30:00 546816]
network.bat [2008-03-28 17:34:28 62]
Shortcut to KnockOut.lnk - C:\Documents and Settings\User\Desktop\KnockOut.exe [2002-12-16 20:22:42 83968]
ęTorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2006-07-02 09:29:46 219952]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-09 12:05:16 25214]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 00:55:04 57344]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-04 21:43:54 11000]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-22 16:31:03 651264]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2006-10-22 16:03:40 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo1"= CSvidcap.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"C:\\Program Files\\eSignal Pro\\winros.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\ORPlat.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\TickShel.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:bittorrent 6881
"6882:TCP"= 6882:TCP:*:Disabled:bittorrent 6882
"6883:TCP"= 6883:TCP:*:Disabled:bittorrent 6883
"6884:TCP"= 6884:TCP:*:Disabled:bittorrent 6884
"6888:TCP"= 6888:TCP:*:Disabled:6888 Utorrent
S2 Flexlm Service 1;Flexlm Service 1;C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe [2006-05-29 18:22]
S2 RaySat_3dsmax8Server;RaySat_3dsmax8 Server;C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe [2006-03-24 15:55]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 21:28]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 IndieVolume;IndieVolume Service;C:\Program Files\IndieVolume\IndieVolume.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 04:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 21:03:16 C:\WINDOWS\Tasks\TradeStation Backup - Monthly.job"
- C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TSBackupRestore.exeT/Backup C:\Program Files\TradeStation 8.3 (Build 1631)\Templates\Backup\Monthly.tsb7C:\Program Files\TradeStation 8.3 (Build 1631)\Program
"2007-04-28 01:22:17 C:\WINDOWS\Tasks\Update iTunes music library.job"
- C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\itunes library updater\iTLU.bat
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 13:44:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-17 13:50:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 20:50:00
ComboFix2.txt 2008-05-17 20:02:02
Pre-Run: 42,086,260,736 bytes free
Post-Run: 42,066,751,488 bytes free
263 --- E O F --- 2008-05-17 19:44:31
**************************************
HIJACK THIS
**************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:05 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {21815876-69E6-402A-9C03-032CD06F1AFC} - C:\WINDOWS\system32\efcDVljI.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "User"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif
--
End of file - 12297 bytes
Hi
Something still left:
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\efcDVljI.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21815876-69E6-402A-9C03-032CD06F1AFC}]
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
I've posted the results below - hopefully this will do it? I had to run it in Safe Mode again, does this matter, and will I have to eventually get combofix to run in Normal mode?
Thanks Shaba
*******************
COMBOFIX LOG
*******************
ComboFix 08-05-15.3 - User 2008-05-18 8:06:25.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1730 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\efcDVljI.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\efcDVljI.dll
C:\WINDOWS\system32\hdfyobjk.ini
C:\WINDOWS\system32\IjlVDcfe.ini
C:\WINDOWS\system32\IjlVDcfe.ini2
.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.
2008-05-17 18:06 . 2008-05-17 18:06 134,144 --a------ C:\WINDOWS\system32\hwnpyval.dll
2008-05-17 18:06 . 2008-05-17 18:06 116,224 --a------ C:\WINDOWS\system32\kjboyfdh.dll
2008-05-17 18:06 . 2008-05-17 18:06 6,694 --a------ C:\WINDOWS\system32\mrgwwqfh.dll
2008-05-17 18:06 . 2008-05-17 18:06 6,692 --a------ C:\WINDOWS\system32\qtyyhqkt.exe
2008-05-17 09:17 . 2008-05-17 09:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 09:17 . 2008-05-18 08:12 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-16 14:09 . 2008-05-16 14:09 164 --a------ C:\install.dat
2008-05-15 19:55 . 2008-05-15 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 19:55 . 2008-05-15 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 02:16 . 2008-05-15 02:16 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-05-14 21:09 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-05-14 21:09 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-05-14 21:08 . 2008-05-15 02:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-14 19:39 . 2008-05-14 21:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-07 20:45 . 2008-05-07 20:46 8 --a------ C:\WINDOWS\sess_54d502b19f6d90898b7b6a83ac0b83cc
2008-05-07 20:45 . 2008-05-07 20:45 8 --a------ C:\WINDOWS\sess_4aafb38039561bd8bbbb76faec7a2ed9
2008-05-07 20:42 . 2008-05-07 20:42 8 --a------ C:\WINDOWS\sess_83f7cad487d69ca260363d4fef25ecc3
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-05-05 13:15 . 2006-02-06 08:54 24,064 -ra------ C:\WINDOWS\system32\PostProc.dll
2008-05-05 13:14 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-05-05 13:14 . 2005-05-04 09:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-05-05 13:14 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-05-05 13:14 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-05-05 13:13 . 2008-05-05 13:13 19,744 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-04 21:30 . 2008-05-04 21:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-04 21:30 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-02 13:13 . 2008-05-02 13:13 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-01 11:28 . 2008-05-01 11:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-01 11:26 . 2008-05-01 11:26 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-01 11:26 . 2008-05-01 11:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\SWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\PWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\MWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\DWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\CWRKArea.wrk
2008-04-29 18:26 . 2008-05-01 18:37 <DIR> d-------- C:\Program Files\QuickTax Tracker
2008-04-26 11:17 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\TradeStation 8.3 (Build 1631)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 14:57 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-18 14:56 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-05-17 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 16:24 --------- d-----w C:\Program Files\Webroot
2008-05-17 16:24 --------- d-----w C:\Documents and Settings\User\Application Data\Webroot
2008-05-16 21:10 1,518 ----a-w C:\WINDOWS\win.tmp
2008-05-16 21:02 --------- d-----w C:\Program Files\TradeStation Archives
2008-05-16 14:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 16:04 --------- d-----w C:\Program Files\eSignal Pro
2008-05-05 20:14 --------- d-----w C:\Program Files\Analog Devices
2008-05-05 05:40 --------- d-----w C:\Program Files\CASHFLOW
2008-05-02 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-02 20:13 --------- d-----w C:\Program Files\TechSmith
2008-05-02 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-17 19:52 --------- d-----w C:\Program Files\Free Desktop Clock
2008-04-07 13:09 --------- d-----w C:\Program Files\iTunes
2008-04-07 13:08 --------- d-----w C:\Program Files\iPod
2008-04-07 13:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:28 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-29 00:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 00:41 --------- d-----w C:\Program Files\EA Sports
2008-03-19 23:00 --------- d-----w C:\Documents and Settings\User\Application Data\1clickPro
2006-12-13 20:15 2,233 ----a-w C:\Documents and Settings\User\Application Data\SAS7_000.DAT
2006-11-17 01:01 162 ---h--w C:\Program Files\Common Files\client.lcs
2006-11-17 00:59 226 ---h--w C:\Program Files\Common Files\server.lcs
2006-10-19 03:28 461 ----a-w C:\Program Files\INSTALL.LOG
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-11-13 21:03 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-17_13.00.41.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:54:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 15:12:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-30 04:45:47 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
+ 2008-05-18 01:06:29 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
- 2008-04-30 04:45:47 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
+ 2008-05-18 01:06:29 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
- 2008-04-30 04:45:47 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
+ 2008-05-18 01:06:29 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
- 2008-04-30 04:45:47 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
+ 2008-05-18 01:06:29 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 07:21 103760]
[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44 894464]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 20:50 492808]
"PowerBar"="" []
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50 334848]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Program Files\Webroot\Washer\WashIdx.exe" [2005-04-07 13:45 51200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-12-27 18:01 1544099]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 01:45 385024]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 00:55 57344]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 02:25 591360]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-08-22 12:46 1422848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440]
"CmPCIaudio"="CMICNFG3.CPL" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 03:07 843776]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]
C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-04 21:30:00 546816]
network.bat [2008-03-28 17:34:28 62]
Shortcut to KnockOut.lnk - C:\Documents and Settings\User\Desktop\KnockOut.exe [2002-12-16 20:22:42 83968]
ęTorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2006-07-02 09:29:46 219952]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-09 12:05:16 25214]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 00:55:04 57344]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-04 21:43:54 11000]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-22 16:31:03 651264]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2006-10-22 16:03:40 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo1"= CSvidcap.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"C:\\Program Files\\eSignal Pro\\winros.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\ORPlat.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\TickShel.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:bittorrent 6881
"6882:TCP"= 6882:TCP:*:Disabled:bittorrent 6882
"6883:TCP"= 6883:TCP:*:Disabled:bittorrent 6883
"6884:TCP"= 6884:TCP:*:Disabled:bittorrent 6884
"6888:TCP"= 6888:TCP:*:Disabled:6888 Utorrent
S2 Flexlm Service 1;Flexlm Service 1;C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe [2006-05-29 18:22]
S2 RaySat_3dsmax8Server;RaySat_3dsmax8 Server;C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe [2006-03-24 15:55]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 21:28]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 IndieVolume;IndieVolume Service;C:\Program Files\IndieVolume\IndieVolume.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 04:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 21:03:16 C:\WINDOWS\Tasks\TradeStation Backup - Monthly.job"
- C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TSBackupRestore.exeT/Backup C:\Program Files\TradeStation 8.3 (Build 1631)\Templates\Backup\Monthly.tsb7C:\Program Files\TradeStation 8.3 (Build 1631)\Program
"2007-04-28 01:22:17 C:\WINDOWS\Tasks\Update iTunes music library.job"
- C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\itunes library updater\iTLU.bat
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 08:13:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-18 8:19:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 15:18:59
ComboFix2.txt 2008-05-17 20:50:28
ComboFix3.txt 2008-05-17 20:02:02
Pre-Run: 42,981,507,072 bytes free
Post-Run: 42,964,619,264 bytes free
234 --- E O F --- 2008-05-17 19:44:31
*******************
HIJACKTHIS LOG
*******************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:51 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "User"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663