View Full Version : virtumonde.generic and win32.BHO.df help needed
dellaware
2007-11-18, 18:10
Been trying to get rid of these for 4 days now with no luck. Spybot detects them, but win32.BHO.df remains even after it has been removed! So far tried spybot, adaware SE, Trend OfficeScan, Trend SysClean, Vundo.exe, AVG anti spyware but no luck.
HJT log attached:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:57:14, on 18/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\TEMP\GK2003.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\DOCUME~1\KERRIG~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\GraviSense\GraviSense.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Microsoft CRM\Client\res\web\bin\Microsoft.Crm.Application.Hoster.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C5CEDF-A8AC-4B01-A90E-B48145C00E85} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A5DC1DB-2ECD-414C-A668-C2680C11ABDB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {A9029BA2-11B0-478B-A8B7-91A97391421D} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: (no name) - {C6851F2F-BCDF-423E-B8EE-88D2F066DCF5} - (no file)
O2 - BHO: {6872ace7-42fa-e148-22b4-c9bd0cd33b6c} - {c6b33dc0-db9c-4b22-841e-af247eca2786} - C:\WINDOWS\system32\lfaysiqf.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: LLIEHlprObj Class - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d0e95cee] rundll32.exe "C:\WINDOWS\system32\buvmfitk.dll",b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSCRMStartup] "C:\Program Files\Microsoft CRM\Client\res\web\bin\Microsoft.Crm.Application.Hoster.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.deltacrm01
O15 - Trusted Zone: http://deltaproject01.deltascheme.com
O15 - Trusted Zone: *.deltascheme.com
O15 - Trusted Zone: http://*.vmsimsltest
O16 - DPF: {01516EAA-CC39-4477-9500-87CB12F72AFD} (Livelink Explorer Activator) - http://deltalivelink.deltascheme.com/Intranetsupport/webexp/llexpld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://deltaproject01.deltascheme.com/projectserver/objects/pjclient.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {547A5E74-F8CA-4326-9A46-95BEBFE6F065} - http://deltalivelink.deltascheme.com/Intranetsupport/webexp/install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183578274812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183578057093
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://localhost/VirtualServer/activex/VMRCActiveXClient.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://deltaproject01.deltascheme.com/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://clientprofiles.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} (BravaClientXView 5.2 Class) - http://igcsps.infograph.com/BravaServer/BravaClientX.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deltascheme.com
O17 - HKLM\Software\..\Telephony: DomainName = deltascheme.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E4C873C-D367-446E-A694-6B7D6D179353}: NameServer = 192.168.150.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deltascheme.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = deltascheme.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c002A641.dat
O20 - Winlogon Notify: cmgavxpy - cmgavxpy.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScanNT Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 18348 bytes
dellaware
2007-11-18, 18:12
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 18, 2007 4:11:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/11/2007
Kaspersky Anti-Virus database records: 460974
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 141300
Number of viruses found: 11
Number of infected objects: 40
Number of suspicious objects: 0
Duration of the scan process: 06:50:29
====
Log is too long to post - can supply if needed.
Thanks
steamwiz
2007-11-18, 19:09
Hi
If by "Vundo.exe" you mean vudofix, please post the vudofix log fould here :-
C:\vundofix.txt
-
Please also post the SUPERAntiSpyware Scan Log
-
RE: KASPERSKY ONLINE SCANNER REPORT
Scan Statistics:
Total number of scanned objects: 141300
Number of viruses found: 11
Number of infected objects: 40
Number of suspicious objects: 0
Can you look through the log & just post the ones which say Infected:
Items which are "locked" are not a problem...
Alternatively can you attach the report ...
-
THEN ...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
Please remember to post :-
1. C:\vundofix.txt
2. SUPERAntiSpyware Scan Log
3. C:\ComboFix.txt
4. a new hijackthis log.( run after everything else)
steam
dellaware
2007-11-19, 09:27
Thanks for your help, yes it was vundofix.exe.
I followed the steps you gave but Combofix.exe did not complete - first couple of times it was killed by the Trend anti-spyware, once it ran and produced the messages 'completed stage_1 to _3' but then hard disk activity stopped and it never went any further, and now it doesn't even do this, no matter how long I leave it.
Cut down KASPERSKY ONLINE SCANNER REPORT:
C:\Documents and Settings\kerrigand\Local Settings\Temporary Internet Files\Content.IE5\1VBN7D8C\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\kerrigand\Local Settings\Temporary Internet Files\Content.IE5\LL9ZIVV7\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\kerrigand\Local Settings\Temporary Internet Files\Content.IE5\MN6MP5LQ\mosx1024[1] Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\Documents and Settings\kerrigand\My Documents\Software\Tools\pstools\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\Documents and Settings\kerrigand\My Documents\Software\Tools\pstools\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\Documents and Settings\kerrigand\My Documents\Software\Tools\pstools\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\Documents and Settings\kerrigand\My Documents\Software\Tools\pstools\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\Documents and Settings\kerrigand\My Documents\Software\Tools\pstools\PsTools.zip ZIP: infected - 2 skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\17PHolmes[1]_514.VIR Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\17PHolmes[1]_c58.VIR Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\17PHolmes[1]_c60.VIR Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\17PHolmes[1]_c68.VIR Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\dnslook11.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\mosx1024[1] Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\wavesnet[1].exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP555\A0100195.exe Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP560\A0102946.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP560\A0102951.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103063.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103077.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103082.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103117.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103118.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103138.exe Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103139.exe Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103140.exe Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqr skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqr skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103143.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqr skipped
C:\System Volume Information\_restore{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103236.dll Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\VundoFix Backups\sbstellx.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\vkcytjbb.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\buvmfitk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\ddcdbcb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqr skipped
C:\WINDOWS\system32\guuoergw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\rev3\revdrive33b.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\WINDOWS\system32\__c002A641.dat Infected: Trojan-Downloader.Win32.ConHook.hl skipped
dellaware
2007-11-19, 09:28
VundoFix V6.6.1
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 22:59:55 16/11/2007
Listing files found while scanning....
C:\WINDOWS\system32\cmgavxpy.dll
C:\windows\system32\sbstellx.dll
C:\windows\system32\vkcytjbb.dll
Beginning removal...
Attempting to delete C:\windows\system32\sbstellx.dll
C:\windows\system32\sbstellx.dll Has been deleted!
Attempting to delete C:\windows\system32\vkcytjbb.dll
C:\windows\system32\vkcytjbb.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.1
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 23:41:37 16/11/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.6.1
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 14:29:29 17/11/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.6.2
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 18:07:14 18/11/2007
Listing files found while scanning....
C:\windows\system32\ddcdbcb.dll
Beginning removal...
Attempting to delete C:\windows\system32\ddcdbcb.dll
C:\windows\system32\ddcdbcb.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 18:46:46 18/11/2007
Listing files found while scanning....
No infected files were found.
dellaware
2007-11-19, 09:31
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/18/2007 at 11:28 PM
Application Version : 3.9.1008
Core Rules Database Version : 3346
Trace Rules Database Version: 1347
Scan type : Complete Scan
Total Scan Time : 03:20:00
Memory items scanned : 1001
Memory threats detected : 5
Registry items scanned : 8711
Registry threats detected : 16
File items scanned : 139544
File threats detected : 35
Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\AWTQQ.DLL
C:\WINDOWS\SYSTEM32\AWTQQ.DLL
HKLM\Software\Classes\CLSID\{ED150936-A7F5-40FC-9128-273C19435058}
HKCR\CLSID\{ED150936-A7F5-40FC-9128-273C19435058}
HKCR\CLSID\{ED150936-A7F5-40FC-9128-273C19435058}\InprocServer32
HKCR\CLSID\{ED150936-A7F5-40FC-9128-273C19435058}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED150936-A7F5-40FC-9128-273C19435058}
Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\YKHIXLLU.DLL
C:\WINDOWS\SYSTEM32\YKHIXLLU.DLL
C:\WINDOWS\SYSTEM32\BUVMFITK.DLL
C:\WINDOWS\SYSTEM32\BUVMFITK.DLL
HKLM\Software\Classes\CLSID\{440d26fe-c292-4593-b216-a29047858839}
HKCR\CLSID\{440D26FE-C292-4593-B216-A29047858839}
HKCR\CLSID\{440D26FE-C292-4593-B216-A29047858839}\InprocServer32
HKCR\CLSID\{440D26FE-C292-4593-B216-A29047858839}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\QADSUGEI.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{440d26fe-c292-4593-b216-a29047858839}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103063.DLL
C:\WINDOWS\SYSTEM32\CCPMKMLC.DLL
C:\WINDOWS\SYSTEM32\GUUOERGW.DLL
C:\WINDOWS\SYSTEM32\NQDSJUJY.DLL
Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\LFAYSIQF.DLL
C:\WINDOWS\SYSTEM32\LFAYSIQF.DLL
Adware.eZula
C:\WINDOWS\SYSTEM32\RIFGNMDQ.EXE
C:\WINDOWS\SYSTEM32\RIFGNMDQ.EXE
Unclassified.Unknown Origin
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKU\S-1-5-21-708320503-715289478-879972363-1723\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{11A69AE4-FBED-4832-A2BF-45AF82825583}
Trojan.Downloader-Gen/DDC
HKLM\System\ControlSet001\Services\DomainService
HKLM\System\CurrentControlSet\Services\DomainService
Malware.LocusSoftware Inc/SpyGuardPro
HKLM\Software\SpyGuardPro
HKLM\Software\SpyGuardPro#EulaUGA6P_0001_N122M2210
Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\TEMP\ICO65.TMP
C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\TEMP\ICO66.TMP
C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\TEMP\ICO6A.TMP
C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\TEMP\ICO6B.TMP
C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\TEMP\ICO6F.TMP
C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\TEMP\ICO70.TMP
Adware.Jraun/WinEssential
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP521\A0089222.EXE
Trojan.Downloader-Gen/MROFIN
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP555\A0100195.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103138.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103139.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103140.EXE
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP560\A0102946.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP560\A0102951.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103077.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103082.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103117.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103118.DLL
Adware.Vundo-Variant/Small
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103141.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103142.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP561\A0103143.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2AF1D626-236F-48C5-AE45-CFD96DA1AA86}\RP563\A0103490.DLL
Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP
C:\WINDOWS\SYSTEM32\QQTWA.INI
C:\WINDOWS\SYSTEM32\QQTWA.INI2
Trojan.Downloader-Gen/BundleBase
C:\WINDOWS\SYSTEM32\RMA01YY\RMA01YY1065.EXE
dellaware
2007-11-19, 09:32
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:14, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\GraviSense\GraviSense.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft CRM\Client\res\web\bin\Microsoft.Crm.Application.Hoster.exe
C:\DOCUME~1\KERRIG~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C5CEDF-A8AC-4B01-A90E-B48145C00E85} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A5DC1DB-2ECD-414C-A668-C2680C11ABDB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {C6851F2F-BCDF-423E-B8EE-88D2F066DCF5} - (no file)
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: LLIEHlprObj Class - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [d0e95cee] rundll32.exe "C:\WINDOWS\system32\ykhixllu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSCRMStartup] "C:\Program Files\Microsoft CRM\Client\res\web\bin\Microsoft.Crm.Application.Hoster.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.deltacrm01
O15 - Trusted Zone: http://deltaproject01.deltascheme.com
O15 - Trusted Zone: *.deltascheme.com
O15 - Trusted Zone: http://*.vmsimsltest
O16 - DPF: {01516EAA-CC39-4477-9500-87CB12F72AFD} (Livelink Explorer Activator) - http://deltalivelink.deltascheme.com/Intranetsupport/webexp/llexpld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://deltaproject01.deltascheme.com/projectserver/objects/pjclient.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {547A5E74-F8CA-4326-9A46-95BEBFE6F065} - http://deltalivelink.deltascheme.com/Intranetsupport/webexp/install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183578274812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183578057093
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://localhost/VirtualServer/activex/VMRCActiveXClient.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://deltaproject01.deltascheme.com/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://clientprofiles.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} (BravaClientXView 5.2 Class) - http://igcsps.infograph.com/BravaServer/BravaClientX.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deltascheme.com
O17 - HKLM\Software\..\Telephony: DomainName = deltascheme.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E4C873C-D367-446E-A694-6B7D6D179353}: NameServer = 192.168.150.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deltascheme.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00D3240.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cmgavxpy - cmgavxpy.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScanNT Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 17010 bytes
steamwiz
2007-11-19, 21:38
HI
So Combofix never produced this log C:\ComboFix.txt ?
Would you please try turning off/exit Trend anti-spyware, then try to run Combofix... If it still wont run, delete it, download a new copy & try again, still with Trend disabled. Combofix is an integral part of removing all traces of vundo ...
steam
dellaware
2007-11-20, 02:13
Yeah, ComboFix never ran to completion or produced a log. So... I started again, running in Safe Mode. VundoFix first - removed a couple, but one file it could not remove, even after reboots - I think the problem was it didn't restart properly - more like switched off each time instead. Tried multiple times. Continued with Super antiSpyWare - came back clean. Then ComboFix - which ran correctly and actually deleted the file that VundoFix couldn't.
Logs attached starting with VundoFix:
VundoFix V6.6.1
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 22:59:55 16/11/2007
Listing files found while scanning....
C:\WINDOWS\system32\cmgavxpy.dll
C:\windows\system32\sbstellx.dll
C:\windows\system32\vkcytjbb.dll
Beginning removal...
Attempting to delete C:\windows\system32\sbstellx.dll
C:\windows\system32\sbstellx.dll Has been deleted!
Attempting to delete C:\windows\system32\vkcytjbb.dll
C:\windows\system32\vkcytjbb.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.1
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 23:41:37 16/11/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.6.1
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 14:29:29 17/11/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.6.2
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 18:07:14 18/11/2007
Listing files found while scanning....
C:\windows\system32\ddcdbcb.dll
Beginning removal...
Attempting to delete C:\windows\system32\ddcdbcb.dll
C:\windows\system32\ddcdbcb.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 18:46:46 18/11/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.6.2
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 18:59:34 19/11/2007
Listing files found while scanning....
C:\windows\system32\__c00D3240.dat
C:\windows\system32\djbiewxu.dll
Beginning removal...
Attempting to delete C:\windows\system32\__c00D3240.dat
C:\windows\system32\__c00D3240.dat Could not be deleted.
Attempting to delete C:\windows\system32\djbiewxu.dll
C:\windows\system32\djbiewxu.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\__c00D3240.dat
C:\windows\system32\__c00D3240.dat Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 19:41:09 19/11/2007
Listing files found while scanning....
C:\windows\system32\__c00D3240.dat
Beginning removal...
Attempting to delete C:\windows\system32\__c00D3240.dat
C:\windows\system32\__c00D3240.dat Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\__c00D3240.dat
C:\windows\system32\__c00D3240.dat Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.6.2
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 20:36:55 19/11/2007
Listing files found while scanning....
C:\windows\system32\__c00D3240.dat
Beginning removal...
Attempting to delete C:\windows\system32\__c00D3240.dat
C:\windows\system32\__c00D3240.dat Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\__c00D3240.dat
C:\windows\system32\__c00D3240.dat Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 21:25:52 2007-11-19
Listing files found while scanning....
C:\windows\system32\__c00D3240.dat
Beginning removal...
Attempting to delete C:\windows\system32\__c00D3240.dat
C:\windows\system32\__c00D3240.dat Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 23:39:51 2007-11-19
Listing files found while scanning....
No infected files were found.
dellaware
2007-11-20, 02:16
ComboFix 07-11-08.3 - Dave 2007-11-19 23:23:16.2 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\kerrigand\Desktop\ComboFix.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Dave\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Dave\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Dave\Favorites\Online Security Guide.lnk
C:\Documents and Settings\kerrigand\Desktop\Live Safety Center.lnk
C:\Documents and Settings\kerrigand\Desktop\Online Security Guide.lnk
C:\Documents and Settings\kerrigand\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c00D3240.dat
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\x2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.
2007-11-19 21:59 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\SUPERAntiSpyware.com
2007-11-19 21:56 73,284 --a------ C:\WINDOWS\system32\drivers\FILEM70.SYS
2007-11-19 21:54 <DIR> d-------- C:\WINDOWS\system32\dktemp
2007-11-18 23:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 19:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 19:22 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\SUPERAntiSpyware.com
2007-11-17 19:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-17 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 01:10 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-16 23:14 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\Grisoft
2007-11-16 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 23:12 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-16 22:59 <DIR> d-------- C:\VundoFix Backups
2007-11-16 22:54 <DIR> d-------- C:\virus fix
2007-11-16 19:51 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-15 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 17:48 <DIR> d-------- C:\Documents and Settings\Dave\Phone Browser
2007-11-15 17:46 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Subversion
2007-11-15 17:43 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\ATI
2007-11-14 17:11 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-14 17:11 <DIR> d-------- C:\WINDOWS\system32\rev3
2007-11-14 17:11 <DIR> d-------- C:\WINDOWS\system32\dn5
2007-11-14 17:11 <DIR> d-------- C:\temp\abW9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 21:46 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2007-11-19 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2007-11-19 17:14 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\VMware
2007-11-18 19:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 03:02 --------- d-----w C:\Program Files\Microsoft Virtual Server
2007-11-17 19:00 --------- d-----w C:\Program Files\Trend Micro
2007-11-15 22:51 --------- d-----w C:\Program Files\Lavasoft
2007-11-15 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 21:49 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\Lavasoft
2007-11-14 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-17 22:45 --------- d-----w C:\Program Files\SpeedFan
2007-10-08 17:24 --------- d-----w C:\Program Files\iTunes
2007-10-08 17:24 --------- d-----w C:\Program Files\iPod
2007-10-08 17:02 --------- d-----w C:\Program Files\Apple Software Update
2007-09-27 14:41 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\LogMeIn Rescue
2007-09-20 22:41 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-09-20 10:57 --------- d-----w C:\Program Files\Microsoft Dynamics Sure Step
2007-09-20 10:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Dynamics
2006-03-02 18:47 57,344 ----a-w C:\Documents and Settings\kerrigand\iSetupNI.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07C5CEDF-A8AC-4B01-A90E-B48145C00E85}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A5DC1DB-2ECD-414C-A668-C2680C11ABDB}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6851F2F-BCDF-423E-B8EE-88D2F066DCF5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-13 23:29 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-11-30 20:39]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2005-11-29 14:51]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 04:51]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2005-12-15 19:13]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-18 16:06]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-01 17:57]
"GraviSense"="C:\Acer\GraviSense\GraviSense.exe" [2005-12-15 20:42]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-07 23:43]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 10:38]
"OLPSYNCH"="C:\Program Files\Offline Course Player\OlpSynch.exe" [2006-10-05 03:00]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"DWPersistentQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.exe" [2007-02-26 08:01]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"d0e95cee"="C:\WINDOWS\system32\ykhixllu.dll" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"VundoFix"="C:\virus fix\vundofix.exe"
C:\Documents and Settings\kerrigand\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-12-02 14:30:42]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 14:55:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"=0 (0x0)
"enableinstallerdetection"=0 (0x0)
"enablelua"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmgavxpy]
cmgavxpy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-708320503-715289478-879972363-1723\Scripts\Logon\0\0]
"Script"=launchapp_v2.wsf
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-708320503-715289478-879972363-500\Scripts\Logon\0\0]
"Script"=Logon Script.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer VCM.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk
backup=C:\WINDOWS\pss\Acer VCM.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetIcon]
\Program Files\SMSC\Seticon.exe
R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;C:\WINDOWS\system32\DRIVERS\IAMTXP.sys
R3 vmkbd;VMware kbd;\??\C:\WINDOWS\system32\drivers\VMkbd.sys
S1 hmonitor;hmonitor;\??\C:\WINDOWS\system32\drivers\hmonitor.sys
S1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
S1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
S2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
S2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
S2 gsensor;gsensor;\??\C:\WINDOWS\system32\gsensor.sys
S2 MSSQL$CRM;SQL Server (CRM);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sCRM
S2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
S2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
S2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml
S3 USBDFU;USBDFU;C:\WINDOWS\system32\drivers\usbdfu.sys
S3 Virtual Server;Virtual Server;"C:\Program Files\Microsoft Virtual Server\vssrvc.exe"
S3 vmh;Virtual Machine Helper;"C:\Program Files\Microsoft Virtual Server\vmh.exe" -service
.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 17:02:37 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-19 21:53:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 23:31:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-19 23:33:22
.
--- E O F ---
dellaware
2007-11-20, 02:17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:03, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\TEMP\UG41D1.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\GraviSense\GraviSense.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Microsoft CRM\Client\res\web\bin\Microsoft.Crm.Application.Hoster.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\DOCUME~1\KERRIG~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C5CEDF-A8AC-4B01-A90E-B48145C00E85} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A5DC1DB-2ECD-414C-A668-C2680C11ABDB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {C6851F2F-BCDF-423E-B8EE-88D2F066DCF5} - (no file)
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: LLIEHlprObj Class - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [d0e95cee] rundll32.exe "C:\WINDOWS\system32\ykhixllu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSCRMStartup] "C:\Program Files\Microsoft CRM\Client\res\web\bin\Microsoft.Crm.Application.Hoster.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.deltacrm01
O15 - Trusted Zone: http://deltaproject01.deltascheme.com
O15 - Trusted Zone: *.deltascheme.com
O15 - Trusted Zone: http://*.vmsimsltest
O16 - DPF: {01516EAA-CC39-4477-9500-87CB12F72AFD} (Livelink Explorer Activator) - http://deltalivelink.deltascheme.com/Intranetsupport/webexp/llexpld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://deltaproject01.deltascheme.com/projectserver/objects/pjclient.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {547A5E74-F8CA-4326-9A46-95BEBFE6F065} - http://deltalivelink.deltascheme.com/Intranetsupport/webexp/install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183578274812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183578057093
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://localhost/VirtualServer/activex/VMRCActiveXClient.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://deltaproject01.deltascheme.com/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://clientprofiles.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} (BravaClientXView 5.2 Class) - http://igcsps.infograph.com/BravaServer/BravaClientX.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deltascheme.com
O17 - HKLM\Software\..\Telephony: DomainName = deltascheme.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E4C873C-D367-446E-A694-6B7D6D179353}: NameServer = 192.168.150.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deltascheme.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cmgavxpy - cmgavxpy.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScanNT Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 17591 bytes
steamwiz
2007-11-21, 22:27
Hi
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Folder::
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rev3
C:\WINDOWS\system32\dn5
C:\temp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07C5CEDF-A8AC-4B01-A90E-B48145C00E85}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A5DC1DB-2ECD-414C-A668-C2680C11ABDB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6851F2F-BCDF-423E-B8EE-88D2F066DCF5}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmgavxpy]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d0e95cee"=-
DirLook::
C:\WINDOWS\system32\dktemp
C:\virus fix
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
dellaware
2007-11-22, 01:19
ComboFix 07-11-19.3 - kerrigand 2007-11-21 22:59:59.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1683 [GMT 0:00]
Running from: C:\Documents and Settings\kerrigand\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kerrigand\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\temp
C:\temp\1901and1911censusrichardleahyclan.zip
C:\temp\abW9\tPho.log
C:\temp\ContactsCopier1.1.exe
C:\temp\F5D7050_v3.exe
C:\temp\llexp.txt
C:\temp\Microsoft Word - Genealogy.LeahyRichard.Gortnamona.1901Census.pdf
C:\temp\Microsoft Word - Genealogy.LeahyRichard.Gortnamona.1911Census.pdf
C:\temp\Shockwave_Installer_Slim.exe
C:\WINDOWS\system32\dn5
C:\WINDOWS\system32\rev3
C:\WINDOWS\system32\rev3\revdrive33b.exe
C:\WINDOWS\system32\rMa01yy
.
((((((((((((((((((((((((( Files Created from 2007-10-21 to 2007-11-21 )))))))))))))))))))))))))))))))
.
2007-11-21 20:47 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\Samsung
2007-11-21 18:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2007-11-21 18:52 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-11-21 17:44 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-21 17:44 <DIR> d-------- C:\Program Files\SAMSUNG
2007-11-19 21:59 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\SUPERAntiSpyware.com
2007-11-19 21:56 73,284 --a------ C:\WINDOWS\system32\drivers\FILEM70.SYS
2007-11-18 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 19:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 19:22 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\SUPERAntiSpyware.com
2007-11-17 19:29 678,151 ---hs---- C:\WINDOWS\system32\ktifmvub.ini
2007-11-17 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 01:10 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-16 23:14 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\Grisoft
2007-11-16 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 23:12 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-16 22:54 <DIR> d-------- C:\virus fix
2007-11-16 19:51 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-15 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 17:48 <DIR> d-------- C:\Documents and Settings\Dave\Phone Browser
2007-11-15 17:46 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Subversion
2007-11-15 17:43 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\ATI
2007-11-14 21:34 671,719 ---hs---- C:\WINDOWS\system32\plgqecpr.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 09:25 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\VMware
2007-11-21 09:05 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2007-11-21 09:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2007-11-18 19:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 03:02 --------- d-----w C:\Program Files\Microsoft Virtual Server
2007-11-17 19:00 --------- d-----w C:\Program Files\Trend Micro
2007-11-15 22:51 --------- d-----w C:\Program Files\Lavasoft
2007-11-15 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 21:49 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\Lavasoft
2007-11-14 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-17 22:45 --------- d-----w C:\Program Files\SpeedFan
2007-10-08 17:24 --------- d-----w C:\Program Files\iTunes
2007-10-08 17:24 --------- d-----w C:\Program Files\iPod
2007-10-08 17:02 --------- d-----w C:\Program Files\Apple Software Update
2007-09-27 14:41 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\LogMeIn Rescue
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2006-03-02 18:47 57,344 ----a-w C:\Documents and Settings\kerrigand\iSetupNI.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\virus fix ----
2007-11-18 18:55 9661 --a------ C:\virus fix\my_thread_files\vbulletin_md5.js
2007-11-18 18:55 9661 --a------ C:\virus fix\detail_thread_files\vbulletin_md5.js
2007-11-18 18:55 79266 --a------ C:\virus fix\detail_thread.htm
2007-11-18 18:55 677 --a------ C:\virus fix\detail_thread_files\sick.gif
2007-11-18 18:55 6527 --a------ C:\virus fix\my_thread_files\style-82272c4d-00002.css
2007-11-18 18:55 6527 --a------ C:\virus fix\detail_thread_files\style-82272c4d-00002.css
2007-11-18 18:55 609 --a------ C:\virus fix\my_thread_files\mode_linear.gif
2007-11-18 18:55 609 --a------ C:\virus fix\detail_thread_files\mode_linear.gif
2007-11-18 18:55 588 --a------ C:\virus fix\my_thread_files\mode_hybrid.gif
2007-11-18 18:55 588 --a------ C:\virus fix\detail_thread_files\mode_hybrid.gif
2007-11-18 18:55 580 --a------ C:\virus fix\my_thread_files\collapse_thead.gif
2007-11-18 18:55 580 --a------ C:\virus fix\detail_thread_files\collapse_thead.gif
2007-11-18 18:55 562 --a------ C:\virus fix\my_thread_files\mode_threaded.gif
2007-11-18 18:55 562 --a------ C:\virus fix\detail_thread_files\mode_threaded.gif
2007-11-18 18:55 561 --a------ C:\virus fix\detail_thread_files\firstnew.gif
2007-11-18 18:55 55443 --a------ C:\virus fix\my_thread.htm
2007-11-18 18:55 529 --a------ C:\virus fix\detail_thread_files\post_new.gif
2007-11-18 18:55 522 --a------ C:\virus fix\my_thread_files\post_old.gif
2007-11-18 18:55 43897 --a------ C:\virus fix\my_thread_files\vbulletin_global.js
2007-11-18 18:55 43897 --a------ C:\virus fix\detail_thread_files\vbulletin_global.js
2007-11-18 18:55 3765 --a------ C:\virus fix\my_thread_files\sbsdlogo.gif
2007-11-18 18:55 3765 --a------ C:\virus fix\detail_thread_files\sbsdlogo.gif
2007-11-18 18:55 3461 --a------ C:\virus fix\my_thread_files\vbulletin_post_loader.js
2007-11-18 18:55 3461 --a------ C:\virus fix\detail_thread_files\vbulletin_post_loader.js
2007-11-18 18:55 3226 --a------ C:\virus fix\my_thread_files\reply.gif
2007-11-18 18:55 3226 --a------ C:\virus fix\detail_thread_files\reply.gif
2007-11-18 18:55 279 --a------ C:\virus fix\my_thread_files\menu_open.gif
2007-11-18 18:55 279 --a------ C:\virus fix\detail_thread_files\menu_open.gif
2007-11-18 18:55 2182 --a------ C:\virus fix\my_thread_files\quote.gif
2007-11-18 18:55 2182 --a------ C:\virus fix\detail_thread_files\quote.gif
2007-11-18 18:55 17850 --a------ C:\virus fix\my_thread_files\vbulletin_menu.js
2007-11-18 18:55 17850 --a------ C:\virus fix\detail_thread_files\vbulletin_menu.js
2007-11-18 18:55 1750 --a------ C:\virus fix\my_thread_files\image.gif
2007-11-18 18:55 1750 --a------ C:\virus fix\detail_thread_files\image.gif
2007-11-18 18:55 1125 --a------ C:\virus fix\my_thread_files\sendtofriend.gif
2007-11-18 18:55 1125 --a------ C:\virus fix\detail_thread_files\sendtofriend.gif
2007-11-18 18:55 1072 --a------ C:\virus fix\my_thread_files\printer.gif
2007-11-18 18:55 1072 --a------ C:\virus fix\detail_thread_files\printer.gif
2007-11-18 18:55 1035 --a------ C:\virus fix\my_thread_files\navbits_finallink_ltr.gif
2007-11-18 18:55 1035 --a------ C:\virus fix\detail_thread_files\navbits_finallink_ltr.gif
2007-11-18 18:55 1032 --a------ C:\virus fix\my_thread_files\icon1.gif
2007-11-18 18:55 1032 --a------ C:\virus fix\detail_thread_files\icon1.gif
2007-11-18 18:55 1026 --a------ C:\virus fix\my_thread_files\user_online.gif
2007-11-18 18:55 1026 --a------ C:\virus fix\my_thread_files\user_offline.gif
2007-11-18 18:55 1026 --a------ C:\virus fix\detail_thread_files\user_online.gif
2007-11-18 18:55 1026 --a------ C:\virus fix\detail_thread_files\user_offline.gif
2007-11-18 18:55 1004 --a------ C:\virus fix\my_thread_files\navbits_start.gif
2007-11-18 18:55 1004 --a------ C:\virus fix\detail_thread_files\navbits_start.gif
2007-11-18 18:54 5321 --a------ C:\virus fix\kasp_short.txt
2007-11-18 18:04 118272 --a------ C:\virus fix\VundoFix.exe
2007-11-18 04:11 48886 --a------ C:\virus fix\kasp_report.txt
2007-11-17 17:56 17851 --a------ C:\virus fix\sysclean.log
2007-11-17 16:56 27 --a------ C:\virus fix\debug\TSCDebug.log
2007-11-17 15:16 1299 --a------ C:\virus fix\report\20071117.log
2007-11-16 23:25 26301369 --a------ C:\virus fix\lpt830.zip
2007-11-16 23:23 1254916 --a------ C:\virus fix\tmadce.zip
2007-11-16 23:22 1407079 --a------ C:\virus fix\tma554.zip
2007-11-16 23:11 3321379 --a------ C:\virus fix\sysclean.com
2007-11-16 23:04 1208753 --a------ C:\virus fix\SDFix.exe
2007-11-16 14:26 12012 --a------ C:\virus fix\whatsnew.txt
2007-11-16 14:25 39541557 --a------ C:\virus fix\lpt$vpn.830
2007-11-16 12:14 3529993 --a------ C:\virus fix\tmaptn.554
2007-11-16 12:14 2171 --a------ C:\virus fix\new-spy.txt
2007-10-22 12:21 3375816 --a------ C:\virus fix\tmadce.ptn
---- Directory of C:\WINDOWS\system32\dktemp ----
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 04:21]
"MSCRMStartup"="C:\Program Files\Microsoft CRM\Client\res\web\bin\Microsoft.Crm.Application.Hoster.exe" [2006-12-19 14:27]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-13 23:29 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-11-30 20:39]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2005-11-29 14:51]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 04:51]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2005-12-15 19:13]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-18 16:06]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-01 17:57]
"GraviSense"="C:\Acer\GraviSense\GraviSense.exe" [2005-12-15 20:42]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-07 23:43]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 10:38]
"OLPSYNCH"="C:\Program Files\Offline Course Player\OlpSynch.exe" [2006-10-05 03:00]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2004-08-09 05:03]
"DWPersistentQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.exe" [2007-02-26 08:01]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Delete USB Error Key"="" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00]
C:\Documents and Settings\kerrigand\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-12-02 14:30:42]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 14:55:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"enableinstallerdetection"= 0 (0x0)
"enablelua"= 0 (0x0)
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-708320503-715289478-879972363-1723\Scripts\Logon\0\0]
"Script"=launchapp_v2.wsf
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-708320503-715289478-879972363-500\Scripts\Logon\0\0]
"Script"=Logon Script.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer VCM.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk
backup=C:\WINDOWS\pss\Acer VCM.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2005-03-31 09:30 1106944 --a------ C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
2005-11-29 14:45 438272 --a------ C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetIcon]
2004-04-28 14:02 42496 --a------ \Program Files\SMSC\Seticon.exe
R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;C:\WINDOWS\system32\DRIVERS\IAMTXP.sys
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
R3 vmkbd;VMware kbd;\??\C:\WINDOWS\system32\drivers\VMkbd.sys
S1 hmonitor;hmonitor;\??\C:\WINDOWS\system32\drivers\hmonitor.sys
S1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
S2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
S2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
S2 gsensor;gsensor;\??\C:\WINDOWS\system32\gsensor.sys
S2 MSSQL$CRM;SQL Server (CRM);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sCRM
S2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
S2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
S2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml
S3 USBDFU;USBDFU;C:\WINDOWS\system32\drivers\usbdfu.sys
S3 Virtual Server;Virtual Server;"C:\Program Files\Microsoft Virtual Server\vssrvc.exe"
S3 vmh;Virtual Machine Helper;"C:\Program Files\Microsoft Virtual Server\vmh.exe" -service
.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 17:02:37 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-21 22:55:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-21 23:02:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-21 23:03:35
C:\ComboFix2.txt ... 2007-11-19 23:33
.
--- E O F ---
dellaware
2007-11-22, 01:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:06, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: LLIEHlprObj Class - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSCRMStartup] "C:\Program Files\Microsoft CRM\Client\res\web\bin\Microsoft.Crm.Application.Hoster.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.deltacrm01
O15 - Trusted Zone: http://deltaproject01.deltascheme.com
O15 - Trusted Zone: *.deltascheme.com
O15 - Trusted Zone: http://*.vmsimsltest
O16 - DPF: {01516EAA-CC39-4477-9500-87CB12F72AFD} (Livelink Explorer Activator) - http://deltalivelink.deltascheme.com/Intranetsupport/webexp/llexpld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://deltaproject01.deltascheme.com/projectserver/objects/pjclient.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {547A5E74-F8CA-4326-9A46-95BEBFE6F065} - http://deltalivelink.deltascheme.com/Intranetsupport/webexp/install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183578274812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183578057093
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://localhost/VirtualServer/activex/VMRCActiveXClient.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://deltaproject01.deltascheme.com/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://clientprofiles.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} (BravaClientXView 5.2 Class) - http://igcsps.infograph.com/BravaServer/BravaClientX.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deltascheme.com
O17 - HKLM\Software\..\Telephony: DomainName = deltascheme.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E4C873C-D367-446E-A694-6B7D6D179353}: NameServer = 192.168.150.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deltascheme.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScanNT Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 14184 bytes
steamwiz
2007-11-22, 22:34
Hi
You are running an out-of-date version of java
Go to add/remove programs and uninstall any earlier versions ...(in your case j2re1.4.2_05)
Then You can go here and install the latest version of Java.
http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 3' and press the 'Download' button.
Running an out-of-date version of java is an infection risk.
THEN ...
Please Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
THEN ...
This will clear all your infected restore points...
Turn off (Disable) System Restore in XP :-
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.
Then...
Turn on (enable) System Restore :-
Follow the same procedure, but this time uncheck Turn off System Restore
if you have any problem with this... here's a link to instructions :-
Disabling or enabling Windows XP System Restore >
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
steam
dellaware
2007-11-23, 00:50
That's all done now. Thanks for all the advice.
I am clean now or do you need another HJT log to confirm?
steamwiz
2007-11-23, 19:54
HI
Almost there ...
I posted your last set of instructions while still looking through your logs ...
Your hijackthis log is clean...
But Combofix still shows a couple of hidden vundo files ...
Once we delete thoose & check your new Combofix log, you should be good to go ...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\ktifmvub.ini
C:\WINDOWS\system32\plgqecpr.ini
Folder::
C:\WINDOWS\system32\dktemp
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
steam
dellaware
2007-11-23, 21:06
OK - fingers crossed....
ComboFix 07-11-19.3 - Dave 2007-11-23 18:16:12.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1731 [GMT 0:00]
Running from: C:\Documents and Settings\kerrigand\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kerrigand\Desktop\CFScript.txt
FILE
C:\WINDOWS\system32\ktifmvub.ini
C:\WINDOWS\system32\plgqecpr.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\dktemp
C:\WINDOWS\system32\ktifmvub.ini
C:\WINDOWS\system32\plgqecpr.ini
.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.
2007-11-22 21:51 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 20:47 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\Samsung
2007-11-21 18:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2007-11-21 18:52 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-11-21 17:44 <DIR> d-------- C:\Program Files\SAMSUNG
2007-11-21 17:44 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-19 21:59 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\SUPERAntiSpyware.com
2007-11-19 21:56 73,284 --a------ C:\WINDOWS\system32\drivers\FILEM70.SYS
2007-11-18 19:32 678,212 ---hs---- C:\WINDOWS\system32\ullxihky.ini
2007-11-18 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 19:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 19:22 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\SUPERAntiSpyware.com
2007-11-17 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 23:14 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\Grisoft
2007-11-16 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 23:12 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-16 22:54 <DIR> d-------- C:\virus fix
2007-11-16 19:51 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-15 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 17:48 <DIR> d-------- C:\Documents and Settings\Dave\Phone Browser
2007-11-15 17:46 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Subversion
2007-11-15 17:43 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\ATI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 18:07 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2007-11-23 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2007-11-23 17:53 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\VMware
2007-11-22 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-21 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 19:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 03:02 --------- d-----w C:\Program Files\Microsoft Virtual Server
2007-11-17 19:00 --------- d-----w C:\Program Files\Trend Micro
2007-11-15 22:51 --------- d-----w C:\Program Files\Lavasoft
2007-11-15 21:49 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\Lavasoft
2007-11-14 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-17 22:45 --------- d-----w C:\Program Files\SpeedFan
2007-10-08 17:24 --------- d-----w C:\Program Files\iTunes
2007-10-08 17:24 --------- d-----w C:\Program Files\iPod
2007-10-08 17:02 --------- d-----w C:\Program Files\Apple Software Update
2007-09-27 14:41 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\LogMeIn Rescue
2006-03-02 18:47 57,344 ----a-w C:\Documents and Settings\kerrigand\iSetupNI.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-21_23.02.39.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-21 22:51:13 211,851 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-23 18:10:12 211,847 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-13 23:29 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-11-30 20:39]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2005-11-29 14:51]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 04:51]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2005-12-15 19:13]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-18 16:06]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-01 17:57]
"GraviSense"="C:\Acer\GraviSense\GraviSense.exe" [2005-12-15 20:42]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-07 23:43]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 10:38]
"OLPSYNCH"="C:\Program Files\Offline Course Player\OlpSynch.exe" [2006-10-05 03:00]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2004-08-09 05:03]
"DWPersistentQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.exe" [2007-02-26 08:01]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 05:03]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00]
C:\Documents and Settings\kerrigand\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-12-02 14:30:42]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 14:55:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"enableinstallerdetection"= 0 (0x0)
"enablelua"= 0 (0x0)
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-708320503-715289478-879972363-1723\Scripts\Logon\0\0]
"Script"=launchapp_v2.wsf
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-708320503-715289478-879972363-500\Scripts\Logon\0\0]
"Script"=Logon Script.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer VCM.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk
backup=C:\WINDOWS\pss\Acer VCM.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2005-03-31 09:30 1106944 --a------ C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
2005-11-29 14:45 438272 --a------ C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetIcon]
2004-04-28 14:02 42496 --a------ \Program Files\SMSC\Seticon.exe
R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;C:\WINDOWS\system32\DRIVERS\IAMTXP.sys
R3 vmkbd;VMware kbd;\??\C:\WINDOWS\system32\drivers\VMkbd.sys
S1 hmonitor;hmonitor;\??\C:\WINDOWS\system32\drivers\hmonitor.sys
S1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
S1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
S2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
S2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
S2 gsensor;gsensor;\??\C:\WINDOWS\system32\gsensor.sys
S2 MSSQL$CRM;SQL Server (CRM);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sCRM
S2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
S2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
S2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml
S3 USBDFU;USBDFU;C:\WINDOWS\system32\drivers\usbdfu.sys
S3 Virtual Server;Virtual Server;"C:\Program Files\Microsoft Virtual Server\vssrvc.exe"
S3 vmh;Virtual Machine Helper;"C:\Program Files\Microsoft Virtual Server\vmh.exe" -service
.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 17:02:37 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-23 18:16:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 18:20:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-23 18:21:32
C:\ComboFix2.txt ... 2007-11-21 23:03
C:\ComboFix3.txt ... 2007-11-19 23:33
.
--- E O F ---
steamwiz
2007-11-23, 21:39
Hi
One more ...
2007-11-18 19:32 678,212 ---hs---- C:\WINDOWS\system32\ullxihky.ini
This should have been shown in your last but one Combofix log, as the date it shows was covered ... but for some reason it wasn't shown ...
Never mind, as it's hidden, it will take one more CFscript to get rid of it ...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\ullxihky.ini
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
steam
dellaware
2007-11-23, 22:26
Here goes...
ComboFix 07-11-19.3 - Dave 2007-11-23 20:04:11.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1727 [GMT 0:00]
Running from: C:\Documents and Settings\kerrigand\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kerrigand\Desktop\CFScript.txt
FILE
C:\WINDOWS\system32\ullxihky.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\ullxihky.ini
.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.
2007-11-22 21:51 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 20:47 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\Samsung
2007-11-21 18:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2007-11-21 18:52 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-11-21 17:44 <DIR> d-------- C:\Program Files\SAMSUNG
2007-11-21 17:44 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-19 21:59 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\SUPERAntiSpyware.com
2007-11-19 21:56 73,284 --a------ C:\WINDOWS\system32\drivers\FILEM70.SYS
2007-11-18 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 19:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 19:22 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\SUPERAntiSpyware.com
2007-11-17 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 23:14 <DIR> d-------- C:\Documents and Settings\kerrigand\Application Data\Grisoft
2007-11-16 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 23:12 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-16 22:54 <DIR> d-------- C:\virus fix
2007-11-16 19:51 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-15 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 17:48 <DIR> d-------- C:\Documents and Settings\Dave\Phone Browser
2007-11-15 17:46 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Subversion
2007-11-15 17:43 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\ATI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 18:50 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\VMware
2007-11-23 18:28 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2007-11-23 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2007-11-22 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-21 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 19:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 03:02 --------- d-----w C:\Program Files\Microsoft Virtual Server
2007-11-17 19:00 --------- d-----w C:\Program Files\Trend Micro
2007-11-15 22:51 --------- d-----w C:\Program Files\Lavasoft
2007-11-15 21:49 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\Lavasoft
2007-11-14 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-17 22:45 --------- d-----w C:\Program Files\SpeedFan
2007-10-08 17:24 --------- d-----w C:\Program Files\iTunes
2007-10-08 17:24 --------- d-----w C:\Program Files\iPod
2007-10-08 17:02 --------- d-----w C:\Program Files\Apple Software Update
2007-09-27 14:41 --------- d-----w C:\Documents and Settings\kerrigand\Application Data\LogMeIn Rescue
2006-03-02 18:47 57,344 ----a-w C:\Documents and Settings\kerrigand\iSetupNI.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-21_23.02.39.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-21 22:51:13 211,851 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-23 19:58:23 211,854 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-13 23:29 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-11-30 20:39]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2005-11-29 14:51]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 04:51]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2005-12-15 19:13]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-18 16:06]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-01 17:57]
"GraviSense"="C:\Acer\GraviSense\GraviSense.exe" [2005-12-15 20:42]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-07 23:43]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 10:38]
"OLPSYNCH"="C:\Program Files\Offline Course Player\OlpSynch.exe" [2006-10-05 03:00]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2004-08-09 05:03]
"DWPersistentQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.exe" [2007-02-26 08:01]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 05:03]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00]
C:\Documents and Settings\kerrigand\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-12-02 14:30:42]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 14:55:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"enableinstallerdetection"= 0 (0x0)
"enablelua"= 0 (0x0)
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-708320503-715289478-879972363-1723\Scripts\Logon\0\0]
"Script"=launchapp_v2.wsf
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-708320503-715289478-879972363-500\Scripts\Logon\0\0]
"Script"=Logon Script.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer VCM.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk
backup=C:\WINDOWS\pss\Acer VCM.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2005-03-31 09:30 1106944 --a------ C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
2005-11-29 14:45 438272 --a------ C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetIcon]
2004-04-28 14:02 42496 --a------ \Program Files\SMSC\Seticon.exe
R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;C:\WINDOWS\system32\DRIVERS\IAMTXP.sys
R3 vmkbd;VMware kbd;\??\C:\WINDOWS\system32\drivers\VMkbd.sys
S1 hmonitor;hmonitor;\??\C:\WINDOWS\system32\drivers\hmonitor.sys
S1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
S1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
S2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
S2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
S2 gsensor;gsensor;\??\C:\WINDOWS\system32\gsensor.sys
S2 MSSQL$CRM;SQL Server (CRM);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sCRM
S2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
S2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
S2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml
S3 USBDFU;USBDFU;C:\WINDOWS\system32\drivers\usbdfu.sys
S3 Virtual Server;Virtual Server;"C:\Program Files\Microsoft Virtual Server\vssrvc.exe"
S3 vmh;Virtual Machine Helper;"C:\Program Files\Microsoft Virtual Server\vmh.exe" -service
.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 17:02:37 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-23 20:03:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 20:08:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-23 20:09:43
C:\ComboFix2.txt ... 2007-11-23 18:21
C:\ComboFix3.txt ... 2007-11-21 23:03
.
--- E O F ---
steamwiz
2007-11-23, 22:37
HI
You'll be pleased to know your log is at last clean :)
If your problems are now resolved ...
Happy surfing
steam
dellaware
2007-11-23, 22:44
Everything is behaving very well now. Thank you so much for your help :bigthumb: without it I really would have been stuck.
steamwiz
2007-11-24, 00:01
You're very welcome :)
steam