PDA

View Full Version : AntiSpyWareMaster & Trojan.Brave-A Removal Help Requested



LegalDawg
2008-04-23, 18:39
Hello:

Would appreciate any assistance an expert can provide in the removal of what I understand to be AntiSpyWareMaster & Trojan.Brave-A from my laptop computer.

To date I have completed the following: (1) run SS&D, immunized, and deleted the red reported items (2) run Kaspersky Online Scanner (log provided below) (3) rebooted laptop into safe mode and re-ran SS&D and deleted red reported items, and (4) rebooted laptop into normal mode and ran HijackThis (log provided below).

Despite the above AntiSpyWareMaster reinstalls on each laptop start-up and browsing speed/computer responsivness remains compromised.

Any help an expert can provide would be truly appreciated.

Much thanks,

Dawg
_________________________________________________

Kaspersky:

2008-04-22 23:37
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 722306


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
M:\
N:\
O:\

Scan Statistics
Total number of scanned objects 105370
Number of viruses found 3
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 01:13:00

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080422_Time-210052703_EnterceptExceptions.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080422_Time-210052703_EnterceptRules.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_VAADMEXB7XVQB1.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_VAADMEXB7XVQB1.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\JKramp\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\JKramp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\JKramp\Desktop\Jeff Stuff\Security\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\JKramp\Desktop\Jeff Stuff\Security\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\JKramp\Desktop\Jeff Stuff\Security\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\JKramp\Desktop\Jeff Stuff\Security\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\JKramp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\JKramp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\JKramp\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\JKramp\Local Settings\Temp\NAILogs\UpdaterUI_VAADMEXB7XVQB1.log Object is locked skipped

C:\Documents and Settings\JKramp\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\JKramp\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\JKramp\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\JKramp\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Network Associates\System Compliance Profiler\PtchScan.log Object is locked skipped

C:\quarantine\Av-test.txt.Vir Object is locked skipped

C:\quarantine\install_en[1].cab.Vir Object is locked skipped

C:\quarantine\xpupdate.exe.Vir Infected: Trojan-Downloader.Win32.FraudLoad.oz skipped

C:\quarantine\xpupdate.exe.Vir.0 Infected: Trojan-Downloader.Win32.FraudLoad.oz skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{2FF78AE5-26C5-4C66-9F2E-8FBADEAB16A3}\RP2\change.log Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\CSC\00000002 Object is locked skipped

C:\WINDOWS\CSC\00000003 Object is locked skipped

C:\WINDOWS\CSC\d1\00000768 Object is locked skipped

C:\WINDOWS\CSC\d1\00000918 Object is locked skipped

C:\WINDOWS\CSC\d1\00000920 Object is locked skipped

C:\WINDOWS\CSC\d2\00000011 Object is locked skipped

C:\WINDOWS\CSC\d2\000008B1 Object is locked skipped

C:\WINDOWS\CSC\d3\00000012 Object is locked skipped

C:\WINDOWS\CSC\d4\0000091B Object is locked skipped

C:\WINDOWS\CSC\d5\00000014 Object is locked skipped

C:\WINDOWS\CSC\d7\0000004E Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
________________________________________________

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:43, on 2008-04-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\vulScan.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\xddclient.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\AntiSpywareMaster\asm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ChaosSoft\TransText\TransText.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\LIVEME~1\Addins\LMCAPI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {1921FF4E-3A98-4027-B326-8A4B3D92D51E} - C:\WINDOWS\system32\rqRhiIXo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F921DBC-867E-4DAD-B61B-556007EC4FA8} - C:\WINDOWS\system32\efcYSmME.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [BGInfo] C:\BG_Info\BGInfo.exe C:\BG_Info\NEW.bgi /TIMER:0
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=vasldcore01.newcorp.com:5007 /S=vasldcore01.newcorp.com /I=HTTP://vasldcore01.newcorp.com/ldlogon/ldappl3.ldz /NOUI /rstart=60
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /rstart=60
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [bcbd1fcc] rundll32.exe "C:\WINDOWS\system32\brcawhgx.dll",b
O4 - HKLM\..\Run: [BMbf8e2c50] Rundll32.exe "C:\WINDOWS\system32\axvlukqu.dll",s
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TransText.lnk = C:\Program Files\ChaosSoft\TransText\TransText.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.newcorp.com
O15 - Trusted Zone: http://rio.2ui.prod.com
O15 - Trusted Zone: rio2ui2.prod.com
O15 - Trusted Zone: http://rio2ui2.prod.com
O15 - Trusted Zone: http://rio2ui2.prod.com (HKLM)
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {3D82A12A-C1FA-11D0-9B21-0080C79EFE90} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vanfind.cab
O16 - DPF: {60046ED9-8E77-11D0-9B21-0080C79EFE90} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205936002109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206049725015
O16 - DPF: {ABDE29F2-6F9C-11D1-9B21-0080C79EFE90} (VanLiteral.CodeSet) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VanLiteral.CAB
O16 - DPF: {BE033B8C-722E-11D1-9B21-0080C79EFE90} (VanMessage.Message) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VanMessage.CAB
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -
O16 - DPF: {CAFECAFE-0013-0001-0024-ABCDEFABCDEF} (JInitiator 1.3.1.24) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = newcorp.com
O17 - HKLM\Software\..\Telephony: DomainName = newcorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = newcorp.com
O20 - Winlogon Notify: nnnoNffG - nnnoNffG.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk(R) Extended device discovery service (LDXDD) - Unknown owner - C:\Program Files\LANDesk\LDClient\xddclient.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracleeeclt92ClientCache - Unknown owner - C:\Oracle\OraClt92\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 16908 bytes

Rorschach112
2008-04-23, 19:51
Hello

Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------


Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

LegalDawg
2008-04-23, 22:23
Rorschach112:

Much thanks for your extremely quick response.

I have followed your instructions and provide the requested ComboFix and HJT logs below.

Best Regards,

LegalDawg

ComboFix Log:

ComboFix 08-04-22.5 - JKramp 2008-04-23 15:04:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1379 [GMT -4:00]
Running from: C:\Documents and Settings\JKramp\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiSpywareMaster
C:\Program Files\AntiSpywareMaster\asm.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 14:56 . 2008-04-23 14:56 90,112 --a------ C:\WINDOWS\system32\WOEM_3_2awoem.tmp
2008-04-23 08:42 . 2008-04-23 08:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 08:21 . 2008-04-23 08:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-22 21:39 . 2008-04-22 21:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-22 21:39 . 2008-04-22 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 20:08 . 2008-04-22 20:22 1,540,617 --ahs---- C:\WINDOWS\system32\xpdderwy.ini
2008-04-22 08:32 . 2008-04-22 20:25 662 --a------ C:\WINDOWS\wininit.ini
2008-04-22 08:14 . 2008-04-22 08:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-22 08:14 . 2008-04-22 08:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 08:14 . 2008-04-22 08:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-22 08:06 . 2008-04-22 09:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-22 08:06 . 2008-04-22 08:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 22:35 . 2008-04-22 09:57 1,540,857 --ahs---- C:\WINDOWS\system32\xghwacrb.ini
2008-04-21 22:34 . 2008-04-23 15:04 <DIR> d-------- C:\quarantine
2008-04-21 22:26 . 2008-04-22 08:12 109,766 --a------ C:\WINDOWS\BMbf8e2c50.xml
2008-04-21 17:09 . 2008-04-21 17:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-21 17:09 . 2008-04-21 17:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-21 16:54 . 2008-04-21 16:54 <DIR> d-------- C:\Documents and Settings\JKramp\Application Data\Viewpoint
2008-04-21 16:04 . 2008-04-21 16:04 <DIR> d-------- C:\Program Files\DivX
2008-04-21 15:51 . 2008-04-21 15:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-21 15:51 . 2005-10-20 21:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-21 15:51 . 2005-10-20 21:47 30,592 --a--c--- C:\WINDOWS\system32\dllcache\SET63.tmp
2008-04-21 15:51 . 2005-10-20 21:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-21 15:51 . 2005-10-20 21:47 12,800 --a--c--- C:\WINDOWS\system32\dllcache\SET62.tmp
2008-04-21 15:41 . 2008-04-21 15:41 <DIR> d-------- C:\Documents and Settings\JKramp\Application Data\CyberLink
2008-04-21 12:52 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-21 12:21 . 2008-04-21 12:21 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-21 10:54 . 2008-04-23 15:00 478 --a------ C:\WINDOWS\hpbafd.ini
2008-04-21 10:54 . 2008-04-21 10:54 331 --a------ C:\WINDOWS\FMTMSAM.INI
2008-04-21 10:52 . 2008-04-21 10:52 <DIR> d-------- C:\WINDOWS\system32\inf
2008-04-21 10:37 . 2008-04-21 10:37 <DIR> d-------- C:\Documents and Settings\JKramp\Application Data\Media Player Classic
2008-04-21 10:16 . 2008-04-21 10:16 <DIR> d-------- C:\Documents and Settings\JKramp\Incomplete
2008-04-21 10:15 . 2008-04-21 16:01 <DIR> d-------- C:\Documents and Settings\JKramp\Application Data\LimeWire
2008-04-21 10:14 . 2008-04-21 10:17 <DIR> d-------- C:\Program Files\LimeWire
2008-04-21 10:12 . 2008-04-21 10:12 <DIR> d-------- C:\Program Files\Google
2008-04-21 10:11 . 2008-04-21 10:11 <DIR> d-------- C:\Program Files\IrfanView
2008-04-21 10:06 . 2008-04-21 10:06 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-21 10:06 . 2008-04-21 10:06 <DIR> d-------- C:\Documents and Settings\JKramp\Application Data\vlc
2008-04-21 09:37 . 2008-04-21 09:37 <DIR> d-------- C:\Program Files\ChaosSoft
2008-04-21 09:37 . 2008-04-21 09:37 0 --a------ C:\WINDOWS\PROTOCOL.INI
2008-04-21 09:24 . 2008-04-21 09:32 <DIR> d-------- C:\Program Files\Winamp
2008-04-21 09:18 . 2008-04-21 09:19 <DIR> d-------- C:\My Documents
2008-04-21 09:09 . 2008-04-21 14:04 2,359,350 --a------ C:\WINDOWS\Theme JKramp.bmp
2008-04-21 09:07 . 2008-04-21 09:08 <DIR> d-------- C:\Program Files\Desktop Architect
2008-04-21 09:07 . 1995-07-14 00:00 146,321 --a------ C:\WINDOWS\system32\plus!.hlp
2008-04-21 09:07 . 2001-05-07 18:34 32,768 --a------ C:\WINDOWS\system32\dapanel.cpl
2008-04-21 09:07 . 1995-06-01 12:00 1,300 --a------ C:\WINDOWS\system32\cool.dll
2008-04-21 09:03 . 2008-04-21 09:04 <DIR> d-------- C:\Program Files\Plus
2008-04-18 15:37 . 2008-04-18 15:37 <DIR> d-------- C:\lj1238
2008-04-18 15:34 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2008-04-18 15:34 . 2001-08-17 13:47 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2008-04-18 15:34 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-04-18 15:34 . 2001-08-17 13:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2008-04-18 15:33 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2008-04-18 15:33 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2008-04-18 15:29 . 2008-04-18 15:29 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-18 15:24 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-18 15:24 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-18 15:24 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-18 15:24 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-18 15:24 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-18 15:24 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-04-18 15:12 . 2008-04-18 15:12 <DIR> d-------- C:\Program Files\Common Files\Crystal Decisions
2008-04-18 15:11 . 2008-04-18 15:16 <DIR> d-------- C:\Program Files\Equity Edge
2008-04-18 15:10 . 2008-04-18 15:10 <DIR> d-------- C:\Program Files\Microsoft Visual Studio .NET 2003
2008-04-18 14:29 . 2007-03-30 19:58 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-18 12:34 . 2008-04-18 12:34 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-18 11:53 . 2008-03-20 17:10 <DIR> d-------- C:\Documents and Settings\JKramp\WINDOWS
2008-04-18 11:53 . 2008-03-19 10:13 <DIR> d---s---- C:\Documents and Settings\JKramp\UserData
2008-04-18 11:53 . 2008-03-21 11:43 <DIR> d-------- C:\Documents and Settings\JKramp\pnlinks
2008-04-18 11:53 . 2008-03-19 11:06 <DIR> d-------- C:\Documents and Settings\JKramp\Application Data\U3
2008-04-18 11:53 . 2008-03-20 09:36 <DIR> d-------- C:\Documents and Settings\JKramp\Application Data\Intel
2008-04-18 11:53 . 2008-03-19 16:27 <DIR> d-------- C:\Documents and Settings\JKramp\Application Data\ICAClient
2008-04-18 11:53 . 2008-04-21 11:01 <DIR> d-------- C:\Documents and Settings\JKramp
2008-04-18 11:53 . 2008-04-23 15:05 86,016 --ah----- C:\Documents and Settings\JKramp\ntuser.dat.LOG
2008-04-18 11:26 . 2008-04-18 11:26 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-18 11:26 . 2008-04-18 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-18 11:18 . 2008-04-18 11:18 <DIR> d-------- C:\Program Files\Novatel Wireless
2008-04-18 11:18 . 2006-10-20 10:28 26,368 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-04-18 11:17 . 2008-04-18 11:17 <DIR> d-------- C:\Program Files\Verizon Wireless
2008-04-18 11:17 . 2008-04-18 11:17 <DIR> d-------- C:\Program Files\Common Files\Research in Motion
2008-04-18 11:04 . 2008-04-18 11:04 <DIR> d-------- C:\Oracle
2008-04-18 10:57 . 2008-04-18 10:58 <DIR> d-------- C:\Program Files\Common Files\EE 7.0
2008-04-18 10:55 . 2008-03-20 17:10 <DIR> d-------- C:\Documents and Settings\RWray\WINDOWS
2008-04-18 10:55 . 2008-03-19 10:13 <DIR> d---s---- C:\Documents and Settings\RWray\UserData
2008-04-18 10:55 . 2008-03-21 11:43 <DIR> d-------- C:\Documents and Settings\RWray\pnlinks
2008-04-18 10:55 . 2008-03-19 11:06 <DIR> d-------- C:\Documents and Settings\RWray\Application Data\U3
2008-04-18 10:55 . 2008-03-20 09:36 <DIR> d-------- C:\Documents and Settings\RWray\Application Data\Intel
2008-04-18 10:55 . 2008-03-19 16:27 <DIR> d-------- C:\Documents and Settings\RWray\Application Data\ICAClient
2008-04-18 10:55 . 2008-04-18 10:55 <DIR> d-------- C:\Documents and Settings\RWray
2008-04-18 10:55 . 2008-04-23 15:04 1,024 --ah----- C:\Documents and Settings\RWray\ntuser.dat.LOG
2008-04-18 10:50 . 2008-04-18 10:54 <DIR> d-------- C:\WINDOWS\nview
2008-04-18 10:50 . 2006-01-19 09:14 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-04-18 10:50 . 2008-04-21 19:04 124,478 --a------ C:\WINDOWS\system32\nvModes.dat
2008-04-18 10:50 . 2008-04-23 14:56 124,478 --a------ C:\WINDOWS\system32\nvModes.001
2008-04-18 10:50 . 2008-04-18 10:50 61,480 --a------ C:\WINDOWS\system32\nvapps.xml
2008-04-18 10:50 . 2006-01-19 09:14 16,356 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-04-18 10:50 . 2008-04-18 12:28 0 --a------ C:\WINDOWS\system32\NvwsApps.xml
2008-04-18 10:49 . 2006-01-19 11:10 180,224 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-04-18 10:32 . 2008-03-20 17:10 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-04-18 10:32 . 2008-03-19 10:13 <DIR> d---s---- C:\Documents and Settings\Default User\UserData
2008-04-18 10:32 . 2008-03-21 11:43 <DIR> d-------- C:\Documents and Settings\Default User\pnlinks
2008-04-18 10:32 . 2008-03-19 11:06 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\U3
2008-04-18 10:32 . 2008-03-19 16:27 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\ICAClient
2008-04-18 10:32 . 2008-04-18 10:32 1,024 --ah----- C:\Documents and Settings\Default User\ntuser.dat.LOG
2008-04-18 10:32 . 2008-04-23 15:04 1,024 --ah----- C:\Documents and Settings\Backup of Default User\NTUSER.DAT.LOG
2008-04-18 10:32 . 2008-04-23 14:49 1,024 --ah----- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
2008-04-18 09:03 . 2008-04-23 15:04 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2008-04-16 10:42 . 2007-11-17 03:03 2,441,216 --a------ C:\WINDOWS\system32\nvwssr.dll
2008-04-16 10:42 . 2007-11-17 03:03 2,363,392 --a------ C:\WINDOWS\system32\nvwss.dll
2008-04-14 09:40 . 2008-04-14 09:40 61 --a------ C:\WINDOWS\smscfg.ini
2008-04-14 08:36 . 2008-04-14 08:36 <DIR> d-------- C:\installtemp
2008-03-24 10:01 . 2008-03-24 10:01 204,409 --a------ C:\WINDOWS\vantiveprod.dat
2008-03-24 10:01 . 2008-03-24 10:01 97,095 --a------ C:\WINDOWS\vantiveprod#Check Zip Code_vantive1033.scc
2008-03-23 21:54 . 2008-03-23 21:54 <DIR> d-------- C:\WINDOWS\system32\ldevents

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 18:55 47,104 ----a-w C:\WINDOWS\system32\rpcnet.dll
2008-04-23 18:55 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.exe
2008-04-23 18:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-04-23 11:59 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.dll
2008-04-22 20:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-21 16:52 --------- d-----w C:\Program Files\Java
2008-04-21 15:08 --------- d-----w C:\Program Files\Microsoft Office Communicator
2008-04-21 13:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 19:10 --------- d-----w C:\Program Files\Oracle
2008-04-18 15:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-24 14:04 --------- d-----w C:\Program Files\IMR
2008-03-21 21:43 14,096 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe
2008-03-21 20:51 --------- d-----w C:\Program Files\Network Associates
2008-03-21 18:25 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-03-21 18:25 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2008-03-21 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-03-21 18:06 --------- d-----w C:\Program Files\QuickTime
2008-03-21 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-21 18:01 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 17:27 --------- d-----w C:\Program Files\LANDesk
2008-03-21 13:56 --------- d-----w C:\Program Files\CCapps
2008-03-21 13:27 --------- d-----w C:\Program Files\Vantive32
2008-03-20 20:47 --------- d-----w C:\Program Files\Best Software
2008-03-20 17:05 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-03-20 15:49 --------- d-----w C:\Program Files\MSECache
2008-03-20 14:56 --------- d-----w C:\Program Files\WebEx
2008-03-20 14:51 --------- d-----w C:\Program Files\ScanSoft
2008-03-20 14:51 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-03-20 14:05 37,027 ----a-w C:\WINDOWS\atmoUn.exe
2008-03-20 14:05 --------- d-----w C:\Program Files\Viewpoint
2008-03-20 14:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-20 13:36 376,832 ----a-w C:\WINDOWS\system32\AegisI5Installer.exe
2008-03-20 13:36 21,361 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-20 13:36 21,361 ----a-w C:\WINDOWS\AegisP.sys
2008-03-20 13:36 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-03-20 13:36 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-03-20 13:36 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-03-20 13:36 --------- d-----w C:\Documents and Settings\Default User\Application Data\Intel
2008-03-20 13:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Intel
2008-03-20 13:35 --------- d-----w C:\Program Files\Intel
2008-03-20 13:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-03-20 13:25 --------- d-----w C:\Program Files\Digital Line Detect
2008-03-20 12:50 --------- d---a-w C:\Program Files\RunAsP
2008-03-20 12:45 --------- d-----w C:\Program Files\Sysinternals
2008-03-19 20:57 --------- d-----w C:\Program Files\MSBuild
2008-03-19 20:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-19 20:57 --------- d-----w C:\Program Files\Microsoft Works
2008-03-19 20:55 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-19 20:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-19 20:43 --------- d-----w C:\Program Files\CyberLink
2008-03-19 20:40 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-19 20:38 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-19 20:27 --------- d-----w C:\Program Files\Citrix
2008-03-19 20:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ICAClient
2008-03-19 20:22 --------- d-----w C:\Program Files\ZANTAZ
2008-03-19 20:17 --------- d-----w C:\Program Files\Common Files\Java
2008-03-19 19:57 --------- d-----w C:\Program Files\Avaya
2008-03-19 19:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 19:49 --------- d-----w C:\Program Files\Cisco Systems
2008-03-19 19:40 --------- d-----w C:\Program Files\Applix
2008-03-19 19:29 --------- d-----w C:\Program Files\IBM
2008-03-19 19:16 47,104 ----a-w C:\WINDOWS\system32\rpcnet.exe
2008-03-19 15:12 --------- d-----w C:\Program Files\CONEXANT
2008-03-19 15:11 --------- d-----w C:\Program Files\SigmaTel
2008-03-19 15:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-03-19 14:32 --------- d-----w C:\Program Files\DIFX
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 00:58 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_21.05.41.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 01:00:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 18:55:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-23 00:03:58 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-23 18:59:30 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-23 00:03:58 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-23 18:59:30 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2002-08-30 15:56:06 45,056 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBAFD32.DLL
+ 2003-07-11 15:35:20 45,056 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBAFD32.DLL
+ 2007-03-07 20:16:54 2,856,960 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBCFGRE.DLL
+ 2002-10-11 15:03:48 1,971,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBF422E.DLL
+ 2002-10-11 15:03:24 1,528,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBF422G.DLL
- 2000-03-14 02:28:36 99,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBFTM32.DLL
+ 2002-12-14 00:50:48 122,880 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBFTM32.DLL
- 2001-11-17 18:25:08 94,274 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBHEALR.DLL
+ 2003-02-25 05:49:56 94,274 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBHEALR.DLL
+ 2007-02-06 21:29:26 24,576 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBMIAPI.DLL
+ 2006-06-06 19:20:20 241,721 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBMINI.DLL
- 2001-11-17 18:25:12 53,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBMMON.DLL
+ 2003-07-18 07:44:56 40,960 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBMMON.DLL
+ 2005-06-20 19:33:06 49,152 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBNRAC2.DLL
+ 2004-06-10 14:08:58 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
+ 2007-02-06 21:29:20 7,680 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOIDPS.DLL
+ 2004-06-10 14:09:06 77,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
+ 2007-02-06 21:29:24 7,680 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPROPS.DLL
+ 2006-11-29 22:26:42 671,816 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMC32.DLL
- 2001-11-17 18:25:18 58,368 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPDOMON.DLL
+ 2003-02-25 05:50:02 58,368 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPDOMON.DLL
+ 2005-06-20 19:33:48 163,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPJCMN2U.DLL
+ 2005-06-20 19:33:52 94,208 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPJIPX1U.DLL
+ 2004-10-16 10:31:22 61,440 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPNRA.EXE
+ 2004-10-08 15:04:10 36,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPPAPML0.DLL
+ 2002-05-25 23:08:42 61,440 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPPAPML0.EXE
+ 2004-10-08 15:04:16 45,056 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPPAPTS0.DLL
+ 2004-10-08 15:04:18 36,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPPASNM0.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1921FF4E-3A98-4027-B326-8A4B3D92D51E}]
C:\WINDOWS\system32\rqRhiIXo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F921DBC-867E-4DAD-B61B-556007EC4FA8}]
C:\WINDOWS\system32\efcYSmME.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"Desktop Architect"="C:\Program Files\Desktop Architect\datray.exe" [2001-05-07 18:35 53248]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-21 11:00 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-08-06 06:20 20530]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-08-06 06:20 20480]
"BGInfo"="C:\BG_Info\BGInfo.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 14:18 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 14:13 1101824]
"IntelAPMClient"="C:\Program Files\LANDesk\LDClient\amclient.exe" [2008-01-07 13:55 331776]
"LANDeskInventoryClient"="C:\Program Files\LANDesk\LDClient\LDIScn32.exe" [2008-01-04 18:39 1024000]
"LANDeskVulscanClient"="C:\Program Files\LANDesk\LDClient\vulScan.exe" [2007-12-13 11:49 1118208]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2007-11-29 10:40 262144]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 98304]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-03-27 15:06 136768]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-17 03:03 8495104]
"nwiz"="nwiz.exe" [2006-01-19 09:14 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-01-19 09:14 73728 C:\WINDOWS\system32\nvhotkey.dll]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 03:00 143360]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-17 03:03 81920]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-30 20:00 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-30 20:00 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-30 19:59 138008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP SchedIndexer"="C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [2002-04-22 12:56 94208]
"HP AutoIndexer"="C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [2002-04-22 12:57 90112]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 05:46 196608]
"AntiSpywareMaster"="C:\Program Files\AntiSpywareMaster\asm.exe" [ ]
"bcbd1fcc"="C:\WINDOWS\system32\brcawhgx.dll" [ ]
"BMbf8e2c50"="C:\WINDOWS\system32\axvlukqu.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-12-05 18:30 3900936]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-03-20 09:25:10 24576]
TransText.lnk - C:\Program Files\ChaosSoft\TransText\TransText.exe [2008-04-21 09:37:13 32768]
VPN Client.lnk - C:\WINDOWS\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2008-03-20 14:03:52 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoNffG]
nnnoNffG.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codec"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Architect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Architect.lnk
backup=C:\WINDOWS\pss\Desktop Architect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk
backup=C:\WINDOWS\pss\HP LaserJet Director.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 14:49 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\CBA\\pds.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"%windir%\\system32\\msgsys.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk(R) PXE TCP Port
"67:UDP"= 67:UDP:LANDesk(R) PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk(R) Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk(R) Remote Control Agent UDP Port
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 CBA8;LANDesk(R) Management Agent;"C:\Program Files\LANDesk\Shared Files\residentagent.exe" [2007-01-09 11:03]
R2 LDXDD;LANDesk(R) Extended device discovery service;"C:\Program Files\LANDesk\LDClient\xddclient.exe" [2007-04-17 06:19]
R2 Softmon;LANDesk(R) Software Monitoring Service;"C:\Program Files\LANDesk\LDClient\softmon.exe" [2007-11-15 11:50]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 16:48]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 16:48]
R3 WOEM_3_2a;WinPcap Packet Driver (WOEM_3_2a);C:\WINDOWS\system32\drivers\WOEM_3_2a.sys []
S3 ifclsmr;ifclsmr;C:\WINDOWS\system32\DRIVERS\ifclsmr.sys []
S3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 16:48]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [1999-10-03 20:04]
S3 Oracleeeclt92ClientCache;Oracleeeclt92ClientCache;C:\Oracle\OraClt92\BIN\ONRSD.EXE [2004-10-13 11:55]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PCASp50.sys []
S4 Oracle ADI Service;Oracle ADI Service;C:\orant\BIN\ADISRV.EXE [2004-02-04 11:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5486fcdc-f550-11dc-92cd-819121848907}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94b77b6d-0d64-11dd-9762-0015c5b3ea38}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 15:06:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AntiSpywareMaster = C:\Program Files\AntiSpywareMaster\asm.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-23 15:07:00
ComboFix-quarantined-files.txt 2008-04-23 19:06:36
ComboFix2.txt 2008-04-23 01:05:59

Pre-Run: 39,120,371,712 bytes free
Post-Run: 39,108,608,000 bytes free

376
_________________________________________________________

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09, on 2008-04-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\xddclient.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\LANDesk\LDClient\vulScan.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ChaosSoft\TransText\TransText.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\LIVEME~1\Addins\LMCAPI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.newcorp.com/
O2 - BHO: (no name) - {1921FF4E-3A98-4027-B326-8A4B3D92D51E} - C:\WINDOWS\system32\rqRhiIXo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F921DBC-867E-4DAD-B61B-556007EC4FA8} - C:\WINDOWS\system32\efcYSmME.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [BGInfo] C:\BG_Info\BGInfo.exe C:\BG_Info\NEW.bgi /TIMER:0
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=vasldcore01.newcorp.com:5007 /S=vasldcore01.newcorp.com /I=HTTP://vasldcore01.newcorp.com/ldlogon/ldappl3.ldz /NOUI /rstart=60
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /rstart=60
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [bcbd1fcc] rundll32.exe "C:\WINDOWS\system32\brcawhgx.dll",b
O4 - HKLM\..\Run: [BMbf8e2c50] Rundll32.exe "C:\WINDOWS\system32\axvlukqu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TransText.lnk = C:\Program Files\ChaosSoft\TransText\TransText.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.newcorp.com
O15 - Trusted Zone: http://rio.2ui.prod.com
O15 - Trusted Zone: rio2ui2.prod.com
O15 - Trusted Zone: http://rio2ui2.prod.com
O15 - Trusted Zone: http://rio2ui2.prod.com (HKLM)
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {3D82A12A-C1FA-11D0-9B21-0080C79EFE90} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vanfind.cab
O16 - DPF: {60046ED9-8E77-11D0-9B21-0080C79EFE90} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205936002109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206049725015
O16 - DPF: {ABDE29F2-6F9C-11D1-9B21-0080C79EFE90} (VanLiteral.CodeSet) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VanLiteral.CAB
O16 - DPF: {BE033B8C-722E-11D1-9B21-0080C79EFE90} (VanMessage.Message) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VanMessage.CAB
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -
O16 - DPF: {CAFECAFE-0013-0001-0024-ABCDEFABCDEF} (JInitiator 1.3.1.24) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = newcorp.com
O17 - HKLM\Software\..\Telephony: DomainName = newcorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = newcorp.com
O20 - Winlogon Notify: nnnoNffG - nnnoNffG.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk(R) Extended device discovery service (LDXDD) - Unknown owner - C:\Program Files\LANDesk\LDClient\xddclient.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracleeeclt92ClientCache - Unknown owner - C:\Oracle\OraClt92\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 16354 bytes

HJT Log:

Rorschach112
2008-04-23, 23:36
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {1921FF4E-3A98-4027-B326-8A4B3D92D51E} - C:\WINDOWS\system32\rqRhiIXo.dll (file missing)
O2 - BHO: (no name) - {5F921DBC-867E-4DAD-B61B-556007EC4FA8} - C:\WINDOWS\system32\efcYSmME.dll (file missing)
O4 - HKLM\..\Run: [bcbd1fcc] rundll32.exe "C:\WINDOWS\system32\brcawhgx.dll",b
O4 - HKLM\..\Run: [BMbf8e2c50] Rundll32.exe "C:\WINDOWS\system32\axvlukqu.dll",s
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {3D82A12A-C1FA-11D0-9B21-0080C79EFE90} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vanfind.cab
O16 - DPF: {60046ED9-8E77-11D0-9B21-0080C79EFE90} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {ABDE29F2-6F9C-11D1-9B21-0080C79EFE90} (VanLiteral.CodeSet) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VanLiteral.CAB
O16 - DPF: {BE033B8C-722E-11D1-9B21-0080C79EFE90} (VanMessage.Message) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VanMessage.CAB
O20 - Winlogon Notify: nnnoNffG - nnnoNffG.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\xpdderwy.ini
C:\WINDOWS\system32\xghwacrb.ini
C:\WINDOWS\BMbf8e2c50.xml
E:\LaunchU3.exe

DirLook::
C:\lj1238

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5486fcdc-f550-11dc-92cd-819121848907}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94b77b6d-0d64-11dd-9762-0015c5b3ea38}]

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log