View Full Version : Don
dmasseyjr
2008-05-01, 21:19
I need some help cleaning up "Virtumonde.dll"
Have ran Spybot and cleaned onlt to rebot and it returns.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:01 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdn32app.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://greatsoftwareoffer.toshiba.com/
O2 - BHO: (no name) - {1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F} - C:\WINDOWS\system32\iifgFXQh.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6cede19e-23e8-4ad6-8cef-6c10630160a5} - (no file)
O2 - BHO: (no name) - {6D5D124D-DCAD-413F-89C3-37C6F5CE7969} - C:\WINDOWS\system32\khfGwVME.dll (file missing)
O2 - BHO: (no name) - {6EDD1D6C-32CB-40F0-AEB5-A74B4D1FB422} - (no file)
O2 - BHO: (no name) - {D79D4560-C79F-4538-967C-AD6803293B63} - C:\WINDOWS\system32\fccaWPJd.dll (file missing)
O2 - BHO: (no name) - {F4B9D1FF-90EB-4C7E-9886-BA6683800155} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [DockMsgFrom] C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\fylhtydv.dll",b
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\cbmuerio.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: On-Screen TimeClock.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136991695123
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.internal
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.internal
O20 - Winlogon Notify: iifgFXQh - iifgFXQh.dll (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
--
End of file - 17131 bytes
Rorschach112
2008-05-01, 21:29
Hello
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
dmasseyjr
2008-05-01, 22:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:05, on 2008-05-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wdn32app.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AOL 9.1\shellmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://greatsoftwareoffer.toshiba.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6cede19e-23e8-4ad6-8cef-6c10630160a5} - (no file)
O2 - BHO: (no name) - {6D5D124D-DCAD-413F-89C3-37C6F5CE7969} - C:\WINDOWS\system32\khfGwVME.dll (file missing)
O2 - BHO: (no name) - {6EDD1D6C-32CB-40F0-AEB5-A74B4D1FB422} - (no file)
O2 - BHO: (no name) - {D79D4560-C79F-4538-967C-AD6803293B63} - C:\WINDOWS\system32\fccaWPJd.dll (file missing)
O2 - BHO: (no name) - {F4B9D1FF-90EB-4C7E-9886-BA6683800155} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [DockMsgFrom] C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
O4 - HKLM\..\Run: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\fylhtydv.dll",b
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\cbmuerio.dll",s
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: On-Screen TimeClock.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136991695123
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.internal
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.internal
O20 - Winlogon Notify: iifgFXQh - iifgFXQh.dll (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
--
End of file - 16799 bytes
ComboFix 08-04-29.5 - DMassey 2008-05-01 13:46:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.443 [GMT -5:00]
Running from: C:\Data\aaaa\a\ComboFix.exe
* Created a new restore point
* Resident AV is active
[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dJPWaccf.ini
C:\WINDOWS\system32\dJPWaccf.ini2
C:\WINDOWS\system32\EMVwGfhk.ini
C:\WINDOWS\system32\EMVwGfhk.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\owgywukh.ini
C:\WINDOWS\system32\rgecmynm.ini
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\vdythlyf.ini
----- BITS: Possible infected sites -----
hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
2008-05-01 13:01 . 2008-05-01 13:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-01 10:06 . 2008-05-01 10:06 <DIR> d-------- C:\Program Files\CCleaner
2008-04-29 09:05 . 2008-04-29 09:02 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-29 09:05 . 2008-04-29 09:05 2,543 --a------ C:\WINDOWS\unins000.dat
2008-04-28 15:31 . 2003-01-10 16:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-04-28 15:28 . 2008-04-28 15:28 <DIR> d-------- C:\WINDOWS\aolshare
2008-04-28 15:28 . 2008-04-28 15:34 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-04-28 15:28 . 2008-04-28 15:38 <DIR> d-------- C:\Program Files\AOL 9.1
2008-04-28 10:47 . 2008-04-28 10:47 4 --a------ C:\WINDOWS\msoffice.ini
2008-04-27 23:22 . 2008-04-30 10:38 109,783 --a------ C:\WINDOWS\BMb78e940f.xml
2008-04-27 12:59 . 2008-04-27 12:59 578 --a------ C:\WINDOWS\index.html
2008-04-26 23:14 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-21 08:41 . 2008-04-21 08:41 <DIR> d-------- C:\Program Files\Western Digital Technologies
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-29 14:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-29 13:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-29 13:31 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-29 13:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-29 13:22 --------- d-----w C:\Documents and Settings\DMassey\Application Data\AOL
2008-04-28 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-28 15:57 --------- d-----w C:\Program Files\Pure Networks
2008-04-28 15:33 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-04-27 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-27 23:02 --------- d-----w C:\Program Files\Common Files\Rockwell
2008-04-27 04:14 6,656 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-03-20 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-18 14:21 --------- d-----w C:\Documents and Settings\DMassey\Application Data\Intuit
2008-03-13 13:43 --------- d-----w C:\Program Files\mobile PhoneTools
2008-03-13 13:43 --------- d-----w C:\Program Files\LiveUpdate
2007-08-12 17:28 166 ----a-w C:\Documents and Settings\DMassey\Application Data\wklnhst.dat
2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cede19e-23e8-4ad6-8cef-6c10630160a5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D5D124D-DCAD-413F-89C3-37C6F5CE7969}]
C:\WINDOWS\system32\khfGwVME.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EDD1D6C-32CB-40F0-AEB5-A74B4D1FB422}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D79D4560-C79F-4538-967C-AD6803293B63}]
C:\WINDOWS\system32\fccaWPJd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4B9D1FF-90EB-4C7E-9886-BA6683800155}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2008-03-06 05:12 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 278528 C:\WINDOWS\system32\TPSMain.exe]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-01-14 19:45 352256]
"TMEPROP"="C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe" [2005-01-15 00:26 253952]
"DockMsgFrom"="C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe" [2004-11-11 17:04 114688]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-08 00:10 344064]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 16:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 11:27 860160]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 18:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 18:26 688218]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-05 20:16 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 88363 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 20:57 73728]
"TFncKy"="TFncKy.exe" []
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 17:03 1077301]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 18:03 135168]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 04:05 122939]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 17:20 94208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-13 15:17 58488]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 14:12 147456]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 14:27 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 14:31 356352]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" [2007-05-18 04:03 190016]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2007-03-06 17:25 468544]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-05-07 08:20 20530]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2002-05-07 08:20 24626]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2002-05-07 08:20 45056]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-05-07 08:20 20530]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-05 14:51 98304]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50 71216]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 06:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03 81920]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 20:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
"HostManager"="C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe" [2007-05-25 12:16 42032]
"b4bda793"="C:\WINDOWS\system32\fylhtydv.dll" [ ]
"BMb78e940f"="C:\WINDOWS\system32\cbmuerio.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 07:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
On-Screen TimeClock.lnk - C:\WINDOWS\Installer\{ABDB4A1C-4583-4127-BDF1-BE720FE10D20}\ShortCut_TimeClock_ABDB4A1C45834127BDF1BE720FE10D20.exe [2006-01-11 09:58:57 40960]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-30 23:58:01 155648]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 16:51:54 45568]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-11 09:08:31 106560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgFXQh]
iifgFXQh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 14:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Data\\MachShop\\MachineShop.exe"=
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe"=
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2007-03-06 17:25]
R3 EventServer;Rockwell Event Server;"C:\Program Files\Common Files\Rockwell\EventServer.exe" [2005-06-23 17:29]
R3 PcmkWdm;%PcmkWdm.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\PcmkWdm.sys [2004-02-11 03:37]
S1 VirtualBackplane;A-B Virtual Backplane;C:\WINDOWS\system32\Drivers\VirtualBackplane.sys []
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys [2004-06-03 05:08]
S3 abpcd;Allen-Bradley 1784-PCD 32-Bit Driver;C:\WINDOWS\system32\DRIVERS\abpcd.sys [2004-08-27 12:19]
S3 pcidnt;A-B 1784-PCIDS;C:\WINDOWS\system32\Drivers\pcidnt.sys []
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS [2004-06-03 05:08]
S3 RSI-PKTX-A;RSI-PKTX-A;C:\WINDOWS\system32\drivers\RSI-PKTX-A.SYS [2002-11-13 14:38]
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS [2004-06-03 05:08]
S3 RSLINXNGKtControl;RSLINXNGKtControl;C:\WINDOWS\system32\drivers\RSIKTNG.SYS [2002-04-23 19:02]
S3 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS [2004-06-03 05:08]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 18:18]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f96cc835-0fa5-11dd-aa0e-00038a000015}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-05-01 17:15:35 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 13:56:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable
scan completed successfully
hidden files: 6
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Toshiba\Toshiba Applet\TMEEJDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\acs\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Rockwell Software\RSCOMMON\RSOBSERV.EXE
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WDN32APP.EXE
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\AOL 9.1\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-05-01 14:02:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 19:02:45
Pre-Run: 35,699,580,928 bytes free
Post-Run: 35,608,649,728 bytes free
255 --- E O F --- 2008-04-09 13:39:38
Rorschach112
2008-05-01, 22:13
Hello
Can you please follow the instructions for installing the Recovery Console
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {6cede19e-23e8-4ad6-8cef-6c10630160a5} - (no file)
O2 - BHO: (no name) - {6D5D124D-DCAD-413F-89C3-37C6F5CE7969} - C:\WINDOWS\system32\khfGwVME.dll (file missing)
O2 - BHO: (no name) - {6EDD1D6C-32CB-40F0-AEB5-A74B4D1FB422} - (no file)
O2 - BHO: (no name) - {D79D4560-C79F-4538-967C-AD6803293B63} - C:\WINDOWS\system32\fccaWPJd.dll (file missing)
O2 - BHO: (no name) - {F4B9D1FF-90EB-4C7E-9886-BA6683800155} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\fylhtydv.dll",b
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\cbmuerio.dll",s
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O20 - Winlogon Notify: iifgFXQh - iifgFXQh.dll (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\BMb78e940f.xml
Rootkit::
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clb.dll
C:\WINDOWS\system32\clbcatex.dll
C:\WINDOWS\system32\clbcatq.dll
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f96cc835-0fa5-11dd-aa0e-00038a000015}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
[-HKEY_CLASSES_ROOT\CLSID\{f96cc835-0fa5-11dd-aa0e-00038a000015}]
[-HKEY_CLASSES_ROOT\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}]
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:
C:\WINDOWS\system32\drivers\beep.sys
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
Repeat it for this file
C:\WINDOWS\system32\beep.sys
dmasseyjr
2008-05-01, 22:54
File has already been analysed:
MD5: d54c549d5e2933194668f8611895f954
First received: 04.29.2008 18:00:45 (CET)
Date: 04.30.2008 20:57:50 (CET) [+1D]
Results: 16/31
Permalink: analisis/1472bbd320d18729ec3fe09177669f88
File has already been analysed:
MD5: da1f27d85e0d1525f6621372e7b685e9
First received: 04.17.2008 07:23:36 (CET)
Date: 04.29.2008 04:10:13 (CET) [>2D]
Results: 0/32
Permalink: analisis/f92d0ccbecc486bfce0942c16b86b1cc
Rorschach112
2008-05-01, 23:05
Can you post me the link to those files scanned
dmasseyjr
2008-05-01, 23:16
http://www.virustotal.com/reanalisis.html?77522bc1794789af26f641cb93e902a5
http://www.virustotal.com/reanalisis.html?6ee1d0d361249366e7911c3197227de2
dmasseyjr
2008-05-02, 00:20
Any one out there?
What else do WE need to do?
Rorschach112
2008-05-02, 00:38
I am a volunteer here, that means I do this in my free time. My replies have been very prompt already, and when people make the posts you do, it is very rude
We don't get paid for this, or receive anything. We are not obliged to help either, we do this because we wish to help out the community.
If you want me to close this thread so you can get another helper, please let me know
dmasseyjr
2008-05-02, 00:56
I was not tring to be rude it is just that I have been addressing this issue for 5 days.
I am a little short of patence at this point and am sorry for taking it out on you.
I have not had any thing that I was unable to address upto now and am not taking it well.
So with that said, is there any assistance that you would be willing to supply to try and bring this to a resolution?
Thanks for your time.
Don M.
Rorschach112
2008-05-02, 02:06
Post the ComboFix log after running my previous instructions, and a new HijackThis log
Then do this
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.
dmasseyjr
2008-05-02, 02:23
ComboFix 08-04-29.5 - DMassey 2008-05-01 14:33:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.481 [GMT -5:00]
Running from: C:\Documents and Settings\DMassey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DMassey\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active
FILE ::
C:\WINDOWS\BMb78e940f.xml
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMb78e940f.xml
C:\WINDOWS\system32\cdosys.dll
C:\WINDOWS\system32\clb.dll
C:\WINDOWS\system32\clbcatex.dll
C:\WINDOWS\system32\clbcatq.dll
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\drivers\vmdesched.sys
.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
2008-05-01 13:01 . 2008-05-01 13:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-01 10:06 . 2008-05-01 10:06 <DIR> d-------- C:\Program Files\CCleaner
2008-04-29 09:05 . 2008-04-29 09:02 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-29 09:05 . 2008-04-29 09:05 2,543 --a------ C:\WINDOWS\unins000.dat
2008-04-28 15:31 . 2003-01-10 16:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-04-28 15:28 . 2008-04-28 15:28 <DIR> d-------- C:\WINDOWS\aolshare
2008-04-28 15:28 . 2008-04-28 15:34 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-04-28 15:28 . 2008-04-28 15:38 <DIR> d-------- C:\Program Files\AOL 9.1
2008-04-28 10:47 . 2008-04-28 10:47 4 --a------ C:\WINDOWS\msoffice.ini
2008-04-27 12:59 . 2008-04-27 12:59 578 --a------ C:\WINDOWS\index.html
2008-04-26 23:14 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-21 08:41 . 2008-04-21 08:41 <DIR> d-------- C:\Program Files\Western Digital Technologies
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-29 14:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-29 13:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-29 13:31 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-29 13:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-29 13:22 --------- d-----w C:\Documents and Settings\DMassey\Application Data\AOL
2008-04-28 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-28 15:57 --------- d-----w C:\Program Files\Pure Networks
2008-04-28 15:33 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-04-27 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-27 23:02 --------- d-----w C:\Program Files\Common Files\Rockwell
2008-04-27 04:14 6,656 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-03-20 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-18 14:21 --------- d-----w C:\Documents and Settings\DMassey\Application Data\Intuit
2008-03-13 13:43 --------- d-----w C:\Program Files\mobile PhoneTools
2008-03-13 13:43 --------- d-----w C:\Program Files\LiveUpdate
2007-08-12 17:28 166 ----a-w C:\Documents and Settings\DMassey\Application Data\wklnhst.dat
2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( snapshot@2008-05-01_14.02.27.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 18:54:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 19:37:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-01 18:54:17 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-01 19:37:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-01 18:54:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-01 19:37:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-01 18:54:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-01 19:37:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 278528 C:\WINDOWS\system32\TPSMain.exe]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-01-14 19:45 352256]
"TMEPROP"="C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe" [2005-01-15 00:26 253952]
"DockMsgFrom"="C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe" [2004-11-11 17:04 114688]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-08 00:10 344064]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 16:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 11:27 860160]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 18:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 18:26 688218]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-05 20:16 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 88363 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 20:57 73728]
"TFncKy"="TFncKy.exe" []
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 17:03 1077301]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 18:03 135168]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 04:05 122939]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 17:20 94208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-13 15:17 58488]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 14:12 147456]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 14:27 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 14:31 356352]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" [2007-05-18 04:03 190016]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2007-03-06 17:25 468544]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-05-07 08:20 20530]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2002-05-07 08:20 24626]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2002-05-07 08:20 45056]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-05-07 08:20 20530]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-05 14:51 98304]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50 71216]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 06:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03 81920]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 20:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
"HostManager"="C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe" [2007-05-25 12:16 42032]
"combofix"="C:\WINDOWS\system32\CF26598.exe" [2004-08-04 07:00 388608]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 07:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
On-Screen TimeClock.lnk - C:\WINDOWS\Installer\{ABDB4A1C-4583-4127-BDF1-BE720FE10D20}\ShortCut_TimeClock_ABDB4A1C45834127BDF1BE720FE10D20.exe [2006-01-11 09:58:57 40960]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-30 23:58:01 155648]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 16:51:54 45568]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-11 09:08:31 106560]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 14:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Data\\MachShop\\MachineShop.exe"=
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe"=
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2007-03-06 17:25]
R3 EventServer;Rockwell Event Server;"C:\Program Files\Common Files\Rockwell\EventServer.exe" [2005-06-23 17:29]
R3 PcmkWdm;%PcmkWdm.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\PcmkWdm.sys [2004-02-11 03:37]
S1 VirtualBackplane;A-B Virtual Backplane;C:\WINDOWS\system32\Drivers\VirtualBackplane.sys []
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys [2004-06-03 05:08]
S3 abpcd;Allen-Bradley 1784-PCD 32-Bit Driver;C:\WINDOWS\system32\DRIVERS\abpcd.sys [2004-08-27 12:19]
S3 pcidnt;A-B 1784-PCIDS;C:\WINDOWS\system32\Drivers\pcidnt.sys []
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS [2004-06-03 05:08]
S3 RSI-PKTX-A;RSI-PKTX-A;C:\WINDOWS\system32\drivers\RSI-PKTX-A.SYS [2002-11-13 14:38]
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS [2004-06-03 05:08]
S3 RSLINXNGKtControl;RSLINXNGKtControl;C:\WINDOWS\system32\drivers\RSIKTNG.SYS [2002-04-23 19:02]
S3 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS [2004-06-03 05:08]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 18:18]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-01 17:15:35 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 14:41:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable
scan completed successfully
hidden files: 3
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Toshiba\Toshiba Applet\TMEEJDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\acs\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Rockwell Software\RSCOMMON\RSOBSERV.EXE
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\system32\WDN32APP.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-05-01 14:46:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 19:46:14
ComboFix2.txt 2008-05-01 19:24:37
ComboFix3.txt 2008-05-01 19:02:52
Pre-Run: 35,519,627,264 bytes free
Post-Run: 35,503,022,080 bytes free
236 --- E O F --- 2008-04-09 13:39:38
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20, on 2008-05-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\system32\wdn32app.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://greatsoftwareoffer.toshiba.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [DockMsgFrom] C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF26598.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: On-Screen TimeClock.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136991695123
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.internal
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.internal
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
--
End of file - 15659 bytes
Rorschach112
2008-05-02, 02:40
Ok post the SDFix log there
dmasseyjr
2008-05-02, 04:16
Sorry for the delay, had to get something to eat.
The SDFix was slow, kept getting "regedit.exe - unable to locate component" Errors.
SDFix: Version 1.177
Run by Administrator on Thu 05/01/2008 at 06:55 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 19:11:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmdesched.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vmdesched.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037a209280]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\vmdesched.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\vmdesched.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\vmdesched.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00037a209280]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\vmdesched.sys"
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
"affid"="7"
"subid"="run01"
"prov"="10010"
"server"=" "
"flagged"=dword:00000001
"downloaded"=dword:00000001
"googleadserver"="pagead2.googlesyndication.com"
scanning hidden files ...
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\drivers\vmdesched.sys 6656 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\cdosys.dll 29184 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 7
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:Component of the RSLogix 5000 Application"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL Topspeed"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"="C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE:*:Disabled:WFXMSRVR"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe:*:Enabled:EventClientMultiplexer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"="C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe:*:Enabled:RsvcHost.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe:*:Enabled:RnaDirServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe:*:Enabled:EventServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"="C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe:*:Enabled:DaClient.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe:*:Enabled:RnaDiagReceiver.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe:*:Enabled:RnaDiagnosticsSrv.exe"
"C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"="C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe:*:Enabled:VStudio.exe"
"C:\\WINDOWS\\system32\\OpcEnum.exe"="C:\\WINDOWS\\system32\\OpcEnum.exe:*:Enabled:OPCEnum.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe:*:Enabled:RSLinxNG.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe:*:Enabled:RSLinxShortcutAOA.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe:*:Enabled:CounterMonitor.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe:*:Enabled:MERuntime.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe:*:Enabled:TagSrv.exe"
"C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"="C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE:*:Enabled:RSLinx.exe"
"C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"="C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe:*:Enabled:OPCTest.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:RSLogix 5000 v16.00.00 "
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe"="C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe:*:Enabled:CLIP PROJECT marking"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 23 Oct 2006 616 ..SHR --- "C:\EVRSI.SYS"
Thu 6 Mar 2008 46,432 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe"
Thu 6 Mar 2008 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe"
Thu 6 Mar 2008 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 14 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 18 Apr 2003 1,233,920 A..H. --- "C:\Program Files\Rockwell Software\RSLogix 5000 Tools\RSLogix 5000 IEC61131-3 Translation Tool\msxml4.dll"
Mon 28 Apr 2008 96,072 ...H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"
Thu 18 May 2006 24,118 A..H. --- "C:\Documents and Settings\administrator.NORTHAMERICA\Application Data\Microsoft\Office\Shortcut Bar\ProD.tmp"
Thu 12 Jan 2006 19,318 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProB.tmp"
Wed 11 Jan 2006 8,246 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProBh.tmp"
Wed 11 Jan 2006 8,246 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProBs.tmp"
Mon 19 Jun 2006 5,239 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\CHOICE.com"
Tue 30 Nov 1999 10,000 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\kill.exe"
Thu 11 Nov 1999 63,248 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\sc.exe"
Mon 19 Jun 2006 5,239 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\CHOICE.com"
Tue 30 Nov 1999 10,000 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\kill.exe"
Thu 11 Nov 1999 63,248 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\sc.exe"
Finished!
Rorschach112
2008-05-02, 14:11
Hello
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\vmdesched.sys
C:\WINDOWS\system32\drivers\beep.sys
Registry keys to delete:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
dmasseyjr
2008-05-02, 19:22
Morning and thanks for the help.
On reboot SDFix continues to be run so I attacked a copy of the text.
Thanks again.
Don M.
SDFix: Version 1.177
Run by Administrator on Thu 05/01/2008 at 06:55 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 19:11:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037a209280]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00037a209280]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
"affid"="7"
"subid"="run01"
"prov"="10010"
"server"="update.microsofttransfer.com"
"flagged"=dword:00000001
"downloaded"=dword:00000001
"googleadserver"="pagead2.googlesyndication.com"
scanning hidden files ...
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 7
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:Component of the RSLogix 5000 Application"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL Topspeed"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"="C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE:*:Disabled:WFXMSRVR"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe:*:Enabled:EventClientMultiplexer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"="C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe:*:Enabled:RsvcHost.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe:*:Enabled:RnaDirServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe:*:Enabled:EventServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"="C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe:*:Enabled:DaClient.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe:*:Enabled:RnaDiagReceiver.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe:*:Enabled:RnaDiagnosticsSrv.exe"
"C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"="C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe:*:Enabled:VStudio.exe"
"C:\\WINDOWS\\system32\\OpcEnum.exe"="C:\\WINDOWS\\system32\\OpcEnum.exe:*:Enabled:OPCEnum.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe:*:Enabled:RSLinxNG.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe:*:Enabled:RSLinxShortcutAOA.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe:*:Enabled:CounterMonitor.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe:*:Enabled:MERuntime.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe:*:Enabled:TagSrv.exe"
"C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"="C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE:*:Enabled:RSLinx.exe"
"C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"="C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe:*:Enabled:OPCTest.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:RSLogix 5000 v16.00.00 "
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe"="C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe:*:Enabled:CLIP PROJECT marking"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 23 Oct 2006 616 ..SHR --- "C:\EVRSI.SYS"
Thu 6 Mar 2008 46,432 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe"
Thu 6 Mar 2008 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe"
Thu 6 Mar 2008 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 14 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 18 Apr 2003 1,233,920 A..H. --- "C:\Program Files\Rockwell Software\RSLogix 5000 Tools\RSLogix 5000 IEC61131-3 Translation Tool\msxml4.dll"
Mon 28 Apr 2008 96,072 ...H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"
Thu 18 May 2006 24,118 A..H. --- "C:\Documents and Settings\administrator.NORTHAMERICA\Application Data\Microsoft\Office\Shortcut Bar\ProD.tmp"
Thu 12 Jan 2006 19,318 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProB.tmp"
Wed 11 Jan 2006 8,246 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProBh.tmp"
Wed 11 Jan 2006 8,246 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProBs.tmp"
Mon 19 Jun 2006 5,239 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\CHOICE.com"
Tue 30 Nov 1999 10,000 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\kill.exe"
Thu 11 Nov 1999 63,248 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\sc.exe"
Mon 19 Jun 2006 5,239 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\CHOICE.com"
Tue 30 Nov 1999 10,000 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\kill.exe"
Thu 11 Nov 1999 63,248 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\sc.exe"
Finished!
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 10:42:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037a209280]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00037a209280]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
"affid"="7"
"subid"="run01"
"prov"="10010"
"server"="update.microsofttransfer.com"
"flagged"=dword:00000001
"downloaded"=dword:00000001
"googleadserver"="pagead2.googlesyndication.com"
scanning hidden files ...
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 7
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:Component of the RSLogix 5000 Application"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL Topspeed"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"="C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE:*:Disabled:WFXMSRVR"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe:*:Enabled:EventClientMultiplexer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"="C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe:*:Enabled:RsvcHost.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe:*:Enabled:RnaDirServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe:*:Enabled:EventServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"="C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe:*:Enabled:DaClient.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe:*:Enabled:RnaDiagReceiver.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe:*:Enabled:RnaDiagnosticsSrv.exe"
"C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"="C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe:*:Enabled:VStudio.exe"
"C:\\WINDOWS\\system32\\OpcEnum.exe"="C:\\WINDOWS\\system32\\OpcEnum.exe:*:Enabled:OPCEnum.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe:*:Enabled:RSLinxNG.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe:*:Enabled:RSLinxShortcutAOA.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe:*:Enabled:CounterMonitor.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe:*:Enabled:MERuntime.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe:*:Enabled:TagSrv.exe"
"C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"="C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE:*:Enabled:RSLinx.exe"
"C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"="C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe:*:Enabled:OPCTest.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:RSLogix 5000 v16.00.00 "
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe"="C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe:*:Enabled:CLIP PROJECT marking"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 23 Oct 2006 616 ..SHR --- "C:\EVRSI.SYS"
Thu 6 Mar 2008 46,432 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe"
Thu 6 Mar 2008 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe"
Thu 6 Mar 2008 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 14 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 18 Apr 2003 1,233,920 A..H. --- "C:\Program Files\Rockwell Software\RSLogix 5000 Tools\RSLogix 5000 IEC61131-3 Translation Tool\msxml4.dll"
Mon 28 Apr 2008 96,072 ...H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"
Thu 18 May 2006 24,118 A..H. --- "C:\Documents and Settings\administrator.NORTHAMERICA\Application Data\Microsoft\Office\Shortcut Bar\ProD.tmp"
Thu 12 Jan 2006 19,318 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProB.tmp"
Wed 11 Jan 2006 8,246 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProBh.tmp"
Wed 11 Jan 2006 8,246 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProBs.tmp"
Mon 19 Jun 2006 5,239 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\CHOICE.com"
Tue 30 Nov 1999 10,000 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\kill.exe"
Thu 11 Nov 1999 63,248 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\sc.exe"
Mon 19 Jun 2006 5,239 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\CHOICE.com"
Tue 30 Nov 1999 10,000 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\kill.exe"
Thu 11 Nov 1999 63,248 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\sc.exe"
Finished!
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 11:10:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037a209280]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00037a209280]
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:Component of the RSLogix 5000 Application"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL Topspeed"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"="C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE:*:Disabled:WFXMSRVR"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe:*:Enabled:EventClientMultiplexer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"="C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe:*:Enabled:RsvcHost.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe:*:Enabled:RnaDirServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe:*:Enabled:EventServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"="C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe:*:Enabled:DaClient.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe:*:Enabled:RnaDiagReceiver.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe:*:Enabled:RnaDiagnosticsSrv.exe"
"C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"="C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe:*:Enabled:VStudio.exe"
"C:\\WINDOWS\\system32\\OpcEnum.exe"="C:\\WINDOWS\\system32\\OpcEnum.exe:*:Enabled:OPCEnum.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe:*:Enabled:RSLinxNG.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe:*:Enabled:RSLinxShortcutAOA.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe:*:Enabled:CounterMonitor.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe:*:Enabled:MERuntime.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe:*:Enabled:TagSrv.exe"
"C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"="C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE:*:Enabled:RSLinx.exe"
"C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"="C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe:*:Enabled:OPCTest.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:RSLogix 5000 v16.00.00 "
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe"="C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe:*:Enabled:CLIP PROJECT marking"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 23 Oct 2006 616 ..SHR --- "C:\EVRSI.SYS"
Thu 6 Mar 2008 46,432 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe"
Thu 6 Mar 2008 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe"
Thu 6 Mar 2008 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 14 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 18 Apr 2003 1,233,920 A..H. --- "C:\Program Files\Rockwell Software\RSLogix 5000 Tools\RSLogix 5000 IEC61131-3 Translation Tool\msxml4.dll"
Mon 28 Apr 2008 96,072 ...H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"
Thu 18 May 2006 24,118 A..H. --- "C:\Documents and Settings\administrator.NORTHAMERICA\Application Data\Microsoft\Office\Shortcut Bar\ProD.tmp"
Thu 12 Jan 2006 19,318 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProB.tmp"
Wed 11 Jan 2006 8,246 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProBh.tmp"
Wed 11 Jan 2006 8,246 A..H. --- "C:\Documents and Settings\DMassey\Application Data\Microsoft\Office\Shortcut Bar\ProBs.tmp"
Mon 19 Jun 2006 5,239 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\CHOICE.com"
Tue 30 Nov 1999 10,000 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\kill.exe"
Thu 11 Nov 1999 63,248 ...HR --- "C:\Program Files\Rockwell Software\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\sc.exe"
Mon 19 Jun 2006 5,239 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\CHOICE.com"
Tue 30 Nov 1999 10,000 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\kill.exe"
Thu 11 Nov 1999 63,248 ...HR --- "C:\Program Files\Rockwell Software\RS5K_V16\System\FTAP 2_00 CPR7 Patch Installs 05Jan07\FTAP 2_00 CPR7 Patch Installs 05Jan07\Utils\sc.exe"
Finished!
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
Hidden driver "clbdriver" found!
ImagePath: \??\globalroot\systemroot\system32\drivers\clbdriver.sys
Start Type: 1 (System)
Rootkit scan completed.
File "C:\WINDOWS\system32\drivers\clbdriver.sys" deleted successfully.
File "C:\WINDOWS\system32\clbcfg.dat" deleted successfully.
File "C:\WINDOWS\system32\clbdll.dll" deleted successfully.
Error: file "C:\WINDOWS\system32\drivers\vmdesched.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\vmdesched.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\drivers\beep.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21, on 2008-05-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdn32app.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Data\a_system repair\HiJackThis.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://greatsoftwareoffer.toshiba.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [DockMsgFrom] C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF26598.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: On-Screen TimeClock.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136991695123
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.internal
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.internal
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
--
End of file - 15841 bytes
Rorschach112
2008-05-03, 01:56
Post the Avenger log and do this
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Click on Kaspersky Online Scanner and click Accept
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
dmasseyjr
2008-05-03, 08:30
I was unable to complete the scan from Kaspersky.
At about the 75% point it would get kicked off by McAfee (I am unable to turn off)
Any suggestions would be greatly appreiciated.
The Deckard file are large, have to make 2 posts.
Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) M processor 1.60GHz
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 1023.42 MiB / 482.64 MiB
Pagefile Memory (total/avail): 1696.17 MiB / 1166.75 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.34 MiB
C: is Fixed (NTFS) - 52.93 GiB total, 32.84 GiB free.
D: is CDROM (No Media)
L: is Network (Unformatted)
M: is Network (Unformatted)
N: is Network (Unformatted)
O: is Network (Unformatted)
\\.\PHYSICALDRIVE0 - FUJITSU MHT2060AT - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 52.93 GiB - C:
\PARTITION1 - Unknown - 2.96 GiB
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
FW: Norton Internet Worm Protection v2005 (Symantec Corporation)
AV: Total Protection for Small Business v4.5.0.464 (McAfee, Inc.)
AV: Norton AntiVirus 2005 v2005 (Symantec Corporation)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"="C:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE:*:Disabled:WFXMSRVR"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe:*:Enabled:EventClientMultiplexer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"="C:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe:*:Enabled:RsvcHost.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe:*:Enabled:RnaDirServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"="C:\\Program Files\\Common Files\\Rockwell\\EventServer.exe:*:Enabled:EventServer.exe"
"C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"="C:\\Program Files\\Common Files\\Rockwell\\DaClient.exe:*:Enabled:DaClient.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe:*:Enabled:RnaDiagReceiver.exe"
"C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"="C:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe:*:Enabled:RnaDiagnosticsSrv.exe"
"C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"="C:\\Program Files\\Common Files\\Rockwell\\VStudio.exe:*:Enabled:VStudio.exe"
"C:\\WINDOWS\\system32\\OpcEnum.exe"="C:\\WINDOWS\\system32\\OpcEnum.exe:*:Enabled:OPCEnum.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe:*:Enabled:RSLinxNG.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe:*:Enabled:RSLinxShortcutAOA.exe"
"C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe"="C:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\CounterMonitor.exe:*:Enabled:CounterMonitor.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe:*:Enabled:MERuntime.exe"
"C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe"="C:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe:*:Enabled:TagSrv.exe"
"C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"="C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE:*:Enabled:RSLinx.exe"
"C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"="C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe:*:Enabled:OPCTest.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1150132139\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:RSLogix 5000 v16.00.00 "
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe"="C:\\Program Files\\Phoenix Contact\\CLIP PROJECT advanced\\marking\\1.0.64\\ClipProjectMarking.exe:*:Enabled:CLIP PROJECT marking"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Data\\MachShop\\MachineShop.exe"="C:\\Data\\MachShop\\MachineShop.exe:*:Enabled:MachineShop Executable"
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"="C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe:*:Enabled:Component of the RSLogix 5000 Application"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL Topspeed"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1209414543\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\DMassey\Application Data
classpath=C:\WINDOWS\Java\Trustlib;%classpath%
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WS4003
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
GETMODEL=TECRA A4
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\DMassey
INTERACT=C:\Data\MachShop\Interact
INTERACT_FILES=C:\Data\MachShop\Interact\AppFiles
LOGONSERVER=\\PLANO10
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Rockwell Software\RSCommon;C:\Program Files\Rockwell Software\RSCommon;C:\Program Files\ATI Technologies\ATI Control Panel;C:\PROGRA~1\IBM\CLIENT~1;C:\PROGRA~1\IBM\CLIENT~1\Shared;C:\PROGRA~1\IBM\CLIENT~1\Emulator;C:\Program Files\Common Files\Rockwell;C:\Program Files\Rockwell Software\RSView Enterprise;C:\Program Files\Rockwell Automation\Common\Components
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DMassey\LOCALS~1\Temp
TMP=C:\DOCUME~1\DMassey\LOCALS~1\Temp
USERDNSDOMAIN=NORTHAMERICA.INTERNAL
USERDOMAIN=NORTHAMERICA
USERNAME=DMassey
USERPROFILE=C:\Documents and Settings\DMassey
VERNUM=PTA40U-0Y001D8
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
DMassey (admin)
administrator.NORTHAMERICA (admin)
User (admin)
McAfeeMVSUser
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe /X
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\AFPViewr\DeIsL1.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL10.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL11.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL12.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL13.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL14.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL15.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL16.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL17.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL3.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL31.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL4.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL5.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL6.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL7.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL8.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL9.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL1.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL2.isu"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{34540622-805E-4CC7-98CF-65A43E99CF4D}
--> MsiExec.exe /I{34540622-805E-4CC7-98CF-65A43E99CF4D}
--> MsiExec.exe /I{34540622-805E-4CC7-98CF-65A43E99CF4D}
--> MsiExec.exe /I{34540622-805E-4CC7-98CF-65A43E99CF4D}
--> MsiExec.exe /I{34540622-805E-4CC7-98CF-65A43E99CF4D}
--> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
--> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
--> MsiExec.exe /x{EFDCE57C-A7C0-4111-9965-E9D21A89BC35}
--> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1-Wire Drivers V4.00 Beta 2 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Dallas Semiconductor\1-Wire Drivers V4.00 Beta 2\DeIsL1.isu" -c"C:\Program Files\Dallas Semiconductor\1-Wire Drivers V4.00 Beta 2\_ISREG32.DLL"
7s Monitor --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C8FC4027-B533-11D6-A805-00A0C961FA56}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AT&T Connection Services Manager --> C:\WINDOWS\WNBackup\WnClient62\unwise32.exe /Z /U C:\WINDOWS\WNBackup\WnClient62\install.log "AT&T Connection Services Manager"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bentley MicroStation (V 08.05.02.35) - 1 --> "C:\Program Files\InstallShield Installation Information\GUID.exe" -uninstall -guid"{8BD3BFEE-79BF-40A1-A69D-97A53F216412}_0"
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
BootP-DHCP Server --> MsiExec.exe /I{7BCFC80E-8D88-4B7C-AF62-A629521B3274}
CA Pest Patrol Realtime Protection --> MsiExec.exe /X{F05A5232-CE5E-4274-AB27-44EB8105898D}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
ClearKeeper --> MsiExec.exe /I{4634B79A-3562-4AC0-B6A2-DF9E2D285EBC}
CLIP PROJECT advanced 2007 - marking --> MsiExec.exe /X{50466DE6-08E5-4FE7-9FAE-D08D70436A69}
ControlFLASH --> MsiExec.exe /I{3A810E8B-A239-4FA1-878F-B5F92CD7D6EC}
Cypress USB Mass Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
DeviceNet Node Commissioning Tool --> MsiExec.exe /I{7FB3F90F-E754-4374-9ABC-EF8F94DA35E2}
DriveExplorer Lite --> MsiExec.exe /I{661B9E09-D3EF-4B4B-9DE6-AA4D5187504F}
DriveExplorer Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F32285D-0354-11D5-804B-0010B57AAB81}\setup.exe" -uninst
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver
ENI Utility --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Allen-Bradley\ENI Utility\Uninst.isu"
FactoryTalk Activation Client v2.00.01 (CPR 7) --> MsiExec.exe /I{30E45D79-A117-41C9-81E7-004F2B183249}
FactoryTalk Automation Platform 2.00 (CPR 7) --> MsiExec.exe /I{F88FFDE2-2236-4273-9AAB-A01601483845}
Firmware Upgrade Wizard for PanelView Plus 700-1500 --> MsiExec.exe /X{1EB4ADAC-EEC7-48A6-ACAF-10C8EC5F1E34}
Firmware Upgrade Wizard for PanelView Plus 700-1500 --> MsiExec.exe /X{56C0798E-829C-4F05-90AA-277BE76C69FD}
FTDI USB Serial Converter Drivers --> C:\WINDOWS\system32\ftdiunin.exe C:\WINDOWS\system32\ftdiun2k.ini
Hard Disk Recovery Utilities --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Hard Disk Recovery Utilities\Uninst.isu"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IBM iSeries Access for Windows --> "C:\Program Files\IBM\Client Access\cwbinarp.exe"
Intel(R) PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
InterVideo WinDVD for TOSHIBA --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveUpdate BVRP Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
Logix CPU Security Tool --> MsiExec.exe /I{9AE0E408-37BC-4B89-B768-252DE878CE7A}
Logix5000 Clock Update Tool --> MsiExec.exe /I{1AB02C49-910D-4823-94BA-51FC4047B9C8}
Logix5000 Task Monitor --> MsiExec.exe /I{0C3966A5-7D21-40CF-A8AA-6DA061D25541}
MachineShop --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{507E494F-653A-11D3-A32E-00104B72C09A}\Setup.exe" -l0x9
McAfee Virus and Spyware Protection Service --> C:\PROGRA~1\McAfee\MANAGE~1\Agent\myinx /Script=C:\PROGRA~1\McAfee\MANAGE~1\VScan\vsasap.inx /Section=DefaultUninstall
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU.msi --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mobile PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
MOVITOOLS 4.50 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SEW\MOVITOOLS\MTools.isu"
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9 AddRemoveCPRun
PanelBuilder32 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Allen-Bradley\PanelBuilder32\Uninst.isu" -c"C:\Program Files\Allen-Bradley\PanelBuilder32\PFTUninst.DLL"
Parker Isysnet Analog Module Profiles --> MsiExec.exe /X{2ACA8536-E7A2-4914-9597-DBA635D93492}
Parker Isysnet ASCII Module Profile --> MsiExec.exe /X{C3ED335A-3156-4152-B96A-D44A0B1A55A3}
Parker Isysnet Discrete Module Profiles --> MsiExec.exe /X{893727BF-9C7C-483F-9E69-D8314DB21186}
PCM001Z-0 --> MsiExec.exe /I{4F3C3C47-E859-11D7-918F-00E018812E83}
Pdf995 --> c:\pdf995\setup.exe uninstall
PID Calculation Program --> C:\CGCM\PIDCal\UNWISE.EXE C:\CGCM\PIDCal\INSTALL.LOG
PowerTools FM - v4.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5F4A3D57-B9BE-4A31-9655-E682D2A45FB1}\Setup.exe" -l0x9 anything
Quick Designer Advanced v3.70 TCP --> C:\WINDOWS\TCP Uninstall37.exe
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Rockwell Automation 1734 Analog Module Profiles --> MsiExec.exe /X{FC07B277-E45F-47AF-BE00-09B03B356899}
Rockwell Automation 1734 ASCII Module Profiles --> MsiExec.exe /X{23727D32-E8A7-418D-BF8D-97A79FF793C1}
Rockwell Automation 1734 Discrete Module Profiles --> MsiExec.exe /X{357187EE-8B25-467D-A567-88C735932174}
Rockwell Automation 1734 Specialty Module Profiles --> MsiExec.exe /X{39363D4F-BF1C-447C-8014-F7966A9975D9}
Rockwell Automation 1738 Analog Module Profiles --> MsiExec.exe /X{6AFEDA45-288E-445F-A176-FCD42AFA74FE}
Rockwell Automation 1738 ASCII Module Profiles --> MsiExec.exe /X{A2C6C8E7-3540-4A0C-8C87-DAA164B0740B}
Rockwell Automation 1738 Discrete Module Profiles --> MsiExec.exe /X{A393179D-478D-40C7-A6A2-90B9F34C2341}
Rockwell Automation 1738 Specialty Module Profiles --> MsiExec.exe /X{FA79AEE5-9FA1-4A6F-B66F-18AF565E1061}
Rockwell Automation 1756 CNet Comms Module Profiles --> MsiExec.exe /X{4866D596-CE65-4F7D-B98C-A28F8E9E13E5}
Rockwell Automation 1756 ENet Comms Module Profiles --> MsiExec.exe /X{AB8E12B5-0B0E-47F9-83A7-89F40B39DBF1}
Rockwell Automation 1756 HART Module Profiles --> MsiExec.exe /X{AAF8A903-9A85-43DF-A35C-3E5549484DDA}
Rockwell Automation 1769 Analog Module Profiles --> MsiExec.exe /X{2ABE52D6-0F52-48F6-9AB7-A7DDAACD8654}
Rockwell Automation 1769 Analog Module Profiles --> MsiExec.exe /X{842CDC14-718F-4063-9D48-36E982E12946}
Rockwell Automation 1769 Boolean Module Profiles --> MsiExec.exe /X{449AD43D-AEF6-439B-B936-B1E239B8944C}
Rockwell Automation 1769 Discrete Module Profiles --> MsiExec.exe /X{7033EFFB-90EA-4A54-9807-FB4AACA52A0B}
Rockwell Automation 1769 Specialty Module Profiles --> MsiExec.exe /X{E4355DEE-167C-4BD3-9FD7-0F389EBF3981}
Rockwell Automation 1791DS Discrete Module Profiles --> MsiExec.exe /X{28302E0C-2E42-4635-8657-078C88989BEF}
Rockwell Automation Drives PowerFlex 4 Module Profiles --> MsiExec.exe /X{66B72D42-0209-4F45-857A-D509649FC74B}
Rockwell Automation Drives PowerFlex 7 Module Profiles --> MsiExec.exe /X{5EFD7668-C7D7-401E-BF4C-F10CEE02ED9E}
Rockwell Automation Drives SCANport Module Profiles --> MsiExec.exe /X{102AC368-2BC1-482D-85B9-5C38F5025F8B}
Rockwell Automation Generic Safety Module Profiles --> MsiExec.exe /X{F699127B-51FB-44DF-AD6A-8AC498BA9684}
Rockwell Software Hardware Maintenance Tool --> C:\Program Files\Rockwell Software\RSCommon\RSHWare.exe
Rockwell Windows Firewall Configuration Utility 1.00.01 --> MsiExec.exe /I{546A6A91-FA45-48BD-A6D6-F4C8D4317A56}
Roxio Burn Engine --> MsiExec.exe /X{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}
RSLinx Classic --> MsiExec.exe /I{34540622-805E-4CC7-98CF-65A43E99CF4D}
RSLinx Enterprise (CPR 7) --> MsiExec.exe /I{645FF519-BB6C-47D9-BB81-561C3846FBC5}
RSLogix 500 English 7.00.00 (CPR 7) --> MsiExec.exe /I{EFDCE57C-A7C0-4111-9965-E9D21A89BC35}
RSLogix 5000 Compare v2 --> MsiExec.exe /I{65808416-E7F9-4DB5-9208-E63078C93B7D}
RSLogix 5000 DeviceNet Tag Generator --> MsiExec.exe /I{B100A292-14C5-4E41-AE27-0229BFBFDA9F}
RSLogix 5000 Faceplates --> MsiExec.exe /X{4E8B1FF0-BE42-42F0-84C3-030399C548A1}
RSLogix 5000 IEC61131-3 Translation Tool --> MsiExec.exe /I{517AA455-8CC9-4281-87A4-865E71947DC9}
RSLogix 5000 Module Profile Core --> MsiExec.exe /X{903B8611-2695-4B42-A613-1394AD01F511}
RSLogix 5000 Module Profile Setup Utility --> MsiExec.exe /X{110ACB92-B678-4CAC-870F-86F1326219D6}
RSLogix 5000 Online Books v16.00.00 --> MsiExec.exe /I{20010016-D5FD-11DA-A128-000C29473C90}
RSLogix 5000 Start Page Media v16.00.05 --> MsiExec.exe /I{10050016-D5FD-11DA-A128-000C29473C90}
RSLogix 5000 System Updates --> MsiExec.exe /X{8E10471D-5CBF-4080-972D-2E6451420B7F}
RSLogix 5000 v15.01 --> MsiExec.exe /X{30010115-EC33-11D6-A408-F6139379CBFB}
RSLogix 5000 v16.00.00 --> MsiExec.exe /I{30010016-EC33-11D6-A408-F6139379CBFB}
RSNetWorx for DeviceNet 7.00.00 (CPR 7) --> MsiExec.exe /I{692179FB-984B-465A-BC4F-3875D2D53F32}
RSView Machine Edition 4.00.00 (CPR 7) --> MsiExec.exe /I{D52998E0-1E8B-4FEF-888B-9770ACA442B7}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SMSC IrCC V5.1.3600.5 SP2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}\setup.exe" -l0x9 UNINSTALL
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tag Data Monitor Tool --> MsiExec.exe /I{8A8C5496-0460-489E-8CB9-8F62E09F033D}
Tag Import Utility --> MsiExec.exe /I{B4BC22FF-9599-4FB4-9F3D-C8D7A19800D4}
Tag Upload Download Tool --> MsiExec.exe /I{BA35560D-EE87-40BD-A84B-48F4CD939D38}
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{73B2BC65-F997-4208-AEE5-CF8B809A3A71}
TimeClock Plus 5.0 Client --> MsiExec.exe /X{ABDB4A1C-4583-4127-BDF1-BE720FE10D20}
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\Setup.exe" -l0x9
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Hotkey Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64DD71BC-3109-4C88-9AD3-D5422644B722}\setup.exe" -l0x9
TOSHIBA Mobile Extension 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C61F1CE9-9A16-42E5-80ED-1E5E3EC677D4}\setup.exe" -l0x9
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\system32\TPSDel.dll"
Toshiba Registration --> MsiExec.exe /X{F6C405D2-C50D-4D10-B89E-73A233A14D74}
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\Setup.exe"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F69B66A8-61C9-424C-AFA1-7EC6093AC5AD}\setup.exe"
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
Toshiba Tbiosdrv Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Toshiba Tbiosdrv Driver\Tbiosdrv.isu"
TOSHIBA TouchPad ON/Off Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{69BE47C2-36FE-4397-8199-85D8EAE69982}\setup.exe" -l0x9
TOSHIBA Utilities --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}\setup.exe" -l0x9
TOSHIBA Virtual Sound --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B12BA86-ADAC-4BA6-B441-FFC591087252}\Setup.exe" /uninstall
TOSHIBA Zooming Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\Setup.exe"
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe"
TurboTax Deluxe 2007 --> C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
Uninstall AOL Emergency Connect Utility 1.0 --> C:\Program Files\Common Files\AOL\ECU\uninst.exe
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
-- Application Event Log -------------------------------------------------------
Event Record #/Type31378 / Warning
Event Submitted/Written: 05/03/2008 00:21:14 AM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
Event Record #/Type31377 / Warning
Event Submitted/Written: 05/03/2008 00:21:14 AM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 800401E4.
Event Record #/Type31375 / Warning
Event Submitted/Written: 05/03/2008 00:12:41 AM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
Event Record #/Type31374 / Warning
Event Submitted/Written: 05/03/2008 00:12:41 AM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 800401E4.
Event Record #/Type31372 / Warning
Event Submitted/Written: 05/03/2008 00:12:34 AM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type73417 / Error
Event Submitted/Written: 05/03/2008 00:09:39 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep
Event Record #/Type73415 / Error
Event Submitted/Written: 05/03/2008 00:08:59 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.
Event Record #/Type73414 / Warning
Event Submitted/Written: 05/03/2008 00:08:59 AM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.
Event Record #/Type73413 / Error
Event Submitted/Written: 05/03/2008 00:08:58 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.
Event Record #/Type73412 / Warning
Event Submitted/Written: 05/03/2008 00:08:58 AM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.
-- End of Deckard's System Scanner: finished at 2008-05-03 00:21:29 ------------
dmasseyjr
2008-05-03, 08:31
Second post
Main.txt
Deckard's System Scanner v20071014.68
Run by DMassey on 2008-05-03 00:16:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Failed to create restore point; unknown error code 0x0000007E
-- Last 5 Restore Point(s) --
71: 2008-05-03 05:17:00 UTC - RP650 - Deckard's System Scanner Restore Point
70: 2008-05-03 05:15:06 UTC - RP649 - Removed SD Secure Module
69: 2008-05-02 21:33:11 UTC - RP648 - System Checkpoint
68: 2008-05-01 19:33:33 UTC - RP647 - ComboFix created restore point
67: 2008-05-01 19:20:27 UTC - RP646 - ComboFix created restore point
-- First Restore Point --
1: 2008-04-27 04:20:26 UTC - RP580 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as DMassey.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20, on 2008-05-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\system32\wdn32app.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\DMassey\Local Settings\Temporary Internet Files\Content.IE5\V1PQWHIH\dss[1].exe
C:\Data\A_SYST~1\DMassey.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://greatsoftwareoffer.toshiba.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [DockMsgFrom] C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF26598.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: On-Screen TimeClock.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136991695123
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.internal
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.internal
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
--
End of file - 16168 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 DS1410D - c:\windows\system32\drivers\ds1410d.sys <Not Verified; Dallas Semiconductor MAXIM; 1-Wire Drivers>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
R3 PcmkWdm (%PcmkWdm.DeviceDesc%) - c:\windows\system32\drivers\pcmkwdm.sys <Not Verified; Rockwell Software, Inc.; PcmkWdm Driver>
R3 TVALD (Toshiba Mobile PC Service) - c:\windows\system32\drivers\nbsmi.sys <Not Verified; Toshiba Corporation; Toshiba Notebook PC SMI Service>
R3 Tvs (Toshiba Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>
S1 VirtualBackplane (A-B Virtual Backplane) - c:\windows\system32\drivers\virtualbackplane.sys (file missing)
S3 ABKTCX (Rockwell Software 1784-KTC(X) Driver) - c:\windows\system32\drivers\abktcx.sys <Not Verified; Rockwell Software Inc.; abktcx Driver>
S3 abpcd (Allen-Bradley 1784-PCD 32-Bit Driver) - c:\windows\system32\drivers\abpcd.sys <Not Verified; Rockwell Automation; 1784-PCD DeviceNet Kernel Mode Driver (abpcd)>
S3 catchme - c:\docume~1\dmassey\locals~1\temp\catchme.sys (file missing)
S3 FTDIBUS (USB Serial Converter Driver) - c:\windows\system32\drivers\ftdibus.sys <Not Verified; FTDI Ltd.; FT8U232AX>
S3 FTSER2K (USB Serial Port Driver) - c:\windows\system32\drivers\ftser2k.sys <Not Verified; FTDI Ltd.; FT8U232AX>
S3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; McAfee Inc.; VirusScan>
S3 pcidnt (A-B 1784-PCIDS) - c:\windows\system32\drivers\pcidnt.sys (file missing)
S3 RS_SS_NT (RSLinx Classic S-S SD/SD2 Device Driver) - c:\windows\system32\rs_ss_nt.sys <Not Verified; Rockwell Software, Inc.; RSLinx>
S3 RsiKtControl - c:\windows\system32\rsikt.sys <Not Verified; Rockwell Software, Inc.; RSLinx>
S3 RSI-PKTX-A - c:\windows\system32\drivers\rsi-pktx-a.sys <Not Verified; Rockwell Automation; PKTX RIO Adapter Driver>
S3 RSLINXNGKtControl - c:\windows\system32\drivers\rsiktng.sys <Not Verified; Rockwell Software Inc.; RSLinx>
S3 RSSERIAL (RSLinx Classic Serial Driver) - c:\windows\system32\rsserial.sys <Not Verified; Rockwell Software Inc.; Rsserial Driver>
S3 SymEvent - c:\program files\symantec\symevent.sys (file missing)
S3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 OwnershipProtocol - c:\program files\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 RNADiagnosticsService (FactoryTalk Diagnostics Local Reader) - "c:\program files\common files\rockwell\rnadiagnosticssrv.exe" <Not Verified; Rockwell Automation; Factory Talk Diagnostics>
R2 RNADirectory (Rockwell Directory Server) - "c:\program files\common files\rockwell\rnadirserver.exe" <Not Verified; Rockwell Software Inc.; FactoryTalk ®>
R2 Rockwell HMI Diagnostics - "c:\program files\rockwell software\rsview enterprise\hmidiagnosticslstadapt.exe" <Not Verified; Rockwell Software, Inc.; ViewStudio>
R2 RSLinx (RSLinx Classic) - c:\progra~1\rockwe~1\rslinx\rslinx.exe /service <Not Verified; Rockwell Software, Inc.; RSLinx Classic>
R2 RsvcHost (Rockwell Application Services) - "c:\program files\common files\rockwell\rsvchost.exe" <Not Verified; Rockwell Software Inc.; FactoryTalk ®>
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 TAPPSRV (TOSHIBA Application Service) - "c:\program files\toshiba\toshiba applet\tappsrv.exe" <Not Verified; TOSHIBA Corp.; TOSHIBA TAPPSRV>
R2 TME3SRV - c:\program files\toshiba\toshiba applet\tme3srv.exe /service <Not Verified; IEC; IEC tme3srv>
R3 EventClientMultiplexer (Rockwell Event Multiplexer) - "c:\program files\common files\rockwell\eventclientmultiplexer.exe" <Not Verified; Rockwell Software Inc.; FactoryTalk ®>
R3 EventServer (Rockwell Event Server) - "c:\program files\common files\rockwell\eventserver.exe" <Not Verified; Rockwell Software Inc.; FactoryTalk ®>
R3 Harmony - "c:\program files\rockwell software\rscommon\rsobserv.exe" <Not Verified; Rockwell Software Inc.; Rockwell Software Harmony services>
S3 Cwbrxd (iSeries Access for Windows Remote Command) - c:\windows\cwbrxd.exe <Not Verified; IBM Corporation; IBM(R) iSeries (TM) Access for Windows>
S3 dnWhoDisp - c:\program files\rockwell software\rslinx\dnwhodisp.exe <Not Verified; ; dnWhoDisp Module>
S3 OpcEnum - c:\windows\system32\opcenum.exe <Not Verified; OPC Foundation; OPC Server Enumerator 1.10>
S3 RNADiagReceiver (FactoryTalk Diagnostics CE Receiver) - "c:\program files\common files\rockwell\rnadiagreceiver.exe" <Not Verified; ; Rockwell Software FactoryTalk Diagnostics>
S3 RNADirMultiplexor (Rockwell Directory Multiplexer) - "c:\program files\common files\rockwell\rnadirmultiplexor.exe" <Not Verified; Rockwell Software Inc.; FactoryTalk ®>
S3 Rockwell HMI Activity Logger - "c:\program files\rockwell software\rsview enterprise\rsactivitylogserv.exe" <Not Verified; Rockwell Software, Inc.; RSView Enterprise>
S3 Rockwell Tag Server - "c:\program files\rockwell software\rsview enterprise\tagsrv.exe" <Not Verified; Rockwell Software, Inc.; HMICore>
S3 RSLinxNG (RSLinx Enterprise) - "c:\program files\rockwell software\rslinx enterprise\rslinxng.exe" /service <Not Verified; Rockwell Automation; RSLinx Enterprise>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-05-01 12:15:35 244 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
-- Files created between 2008-04-03 and 2008-05-03 -----------------------------
2008-05-02 23:43:42 0 d-------- C:\WINDOWS\system32\NtmsData
2008-05-02 18:13:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 18:13:14 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-01 18:48:45 0 d-------- C:\WINDOWS\ERUNT
2008-05-01 14:20:51 0 d-------- C:\cmdcons
2008-05-01 13:44:39 68096 --a------ C:\WINDOWS\zip.exe
2008-05-01 13:44:39 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-01 13:44:39 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-01 13:44:39 98816 --a------ C:\WINDOWS\sed.exe
2008-05-01 13:44:39 80412 --a------ C:\WINDOWS\grep.exe
2008-05-01 13:44:39 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-01 13:44:38 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-01 13:44:38 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-01 13:01:03 0 d-------- C:\Program Files\Trend Micro
2008-05-01 10:09:07 0 dr-h----- C:\Documents and Settings\DMassey\Recent
2008-05-01 10:06:31 0 d-------- C:\Program Files\CCleaner
2008-04-29 09:05:14 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-29 09:05:14 2543 --a------ C:\WINDOWS\unins000.dat
2008-04-28 15:28:53 0 d-------- C:\WINDOWS\aolshare
2008-04-28 15:28:50 0 d-------- C:\Program Files\Common Files\aolshare
2008-04-28 15:28:50 0 d-------- C:\Program Files\AOL 9.1
2008-04-28 10:36:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Macromedia
2008-04-21 08:41:50 0 d-------- C:\Program Files\Western Digital Technologies
-- Find3M Report ---------------------------------------------------------------
2008-04-29 08:31:19 0 d-------- C:\Program Files\Common Files\AOL
2008-04-29 08:22:16 0 d-------- C:\Documents and Settings\DMassey\Application Data\AOL
2008-04-28 15:28:50 0 d-------- C:\Program Files\Common Files
2008-04-28 10:57:32 0 d-------- C:\Program Files\Pure Networks
2008-04-28 10:33:46 0 d-------- C:\Program Files\Common Files\Nullsoft
2008-04-27 18:02:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-27 18:02:45 0 d-------- C:\Program Files\Common Files\Rockwell
2008-03-18 09:21:38 0 d-------- C:\Documents and Settings\DMassey\Application Data\Intuit
2008-03-13 08:43:44 0 d-------- C:\Program Files\LiveUpdate
2008-03-13 08:43:16 0 d-------- C:\Program Files\mobile PhoneTools
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-01-14 19:45]
"TMEPROP"="C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe" [2005-01-15 00:26]
"DockMsgFrom"="C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe" [2004-11-11 17:04]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:00 C:\WINDOWS\system32\bthprops.cpl]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-08 00:10]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 16:48]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 11:27]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 18:28]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 18:26]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-05 20:16]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 20:57]
"TFncKy"="TFncKy.exe" []
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 17:03]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 18:03]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 04:05]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 17:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-13 15:17]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 14:12]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 14:27]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 14:31]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" [2007-05-18 04:03]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2007-03-06 17:25]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-05-07 08:20]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2002-05-07 08:20]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2002-05-07 08:20]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-05-07 08:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-05 14:51]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 06:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 20:08]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52]
"HostManager"="C:\Program Files\Common Files\AOL\1209414543\ee\AOLSoftware.exe" [2007-05-25 12:16]
"combofix"="C:\WINDOWS\system32\CF26598.exe" []
"SDFix"="C:\SDFix\RunThis.bat /second" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2008-03-06 05:12]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 07:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
On-Screen TimeClock.lnk - C:\WINDOWS\Installer\{ABDB4A1C-4583-4127-BDF1-BE720FE10D20}\ShortCut_TimeClock_ABDB4A1C45834127BDF1BE720FE10D20.exe [2006-01-11 09:58:57]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-30 23:58:01]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 16:51:54]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-11 09:08:31]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 14:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
-- End of Deckard's System Scanner: finished at 2008-05-03 00:21:29 ------------
Rorschach112
2008-05-03, 14:17
Hello
You have two firewalls, so you need to disable Windows firewall
1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click Off (not recommended), and then click OK.
You also have two anti-virus programs, you need to remove one of these
AV: Total Protection for Small Business v4.5.0.464 (McAfee, Inc.)
AV: Norton AntiVirus 2005 v2005 (Symantec Corporation)
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Reboot and tell me how your PC is running
dmasseyjr
2008-05-03, 18:51
My system appears to be working better than before we started.
The onlt thing happening at this time is SDFix lauches each time I bootup.
As for all the other software that I have downloaded, can it be removed from the add/remove area?
Has this taken care of my issues?
Malwarebytes' Anti-Malware 1.11
Database version: 711
Scan type: Full Scan (C:\|D:\|L:\|M:\|N:\|O:\|)
Objects scanned: 154044
Time elapsed: 1 hour(s), 39 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP641\A0236465.old (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP643\A0238806.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP643\A0240920.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP643\A0240921.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP644\A0246026.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP644\A0246029.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP644\A0248585.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Rorschach112
2008-05-03, 19:40
To stop that fix this entry in HijackThis
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
Few things left to do
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)
Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
dmasseyjr
2008-05-03, 20:14
Thanks for all your help and patience.
Rorschach112
2008-05-03, 21:07
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.