View Full Version : virtumonde removal help please!!!
mark_in_nola
2008-09-09, 03:04
Hope I followed all the directions properly. I am dying here. This computer is my lifeline so that I don't have to commute every day. Help!!!
Here is my HJT log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:03 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070425
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070425
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc91cf8] rundll32.exe "C:\WINDOWS\system32\gdhvmanq.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1578] command /c del "C:\WINDOWS\system32\urqRLbYq.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4401] cmd /c del "C:\WINDOWS\system32\urqRLbYq.dll"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [RCHotKey] "C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYUS_ZZzer000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Set Fields - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra 'Tools' menuitem: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/hmpr/HMPR_WIN_IE_1/wiaaut.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.pasadosafehaven.org/Remote/msrdp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eval.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - https://service.ringcentral.com/ActiveX/RCAXSetup.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL idedck.dll
O21 - SSODL: xrdwbfgn - {5E72BE8F-930A-47B8-BC4E-32AEE922FB9E} - (no file)
O21 - SSODL: dgksvbpn - {0862FF7F-78BB-46D9-848D-AEBE36D31415} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 17176 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
I will be back as soon as possible with your first instructions!
Step # 1: Disable Teatimer
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Step # 2 Download CCleaner
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the ccsetup.exe file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location.
Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
Click Install then finish to complete installation.
Step # 3 Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
Step # 4: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Be sure to save ComboFix.exe to your Desktop
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleaning the system:
CCleaner Install List
C:\ComboFix.txt
New HijackThis log.
Use multiple posts if you can't fit everything into one post.
mark_in_nola
2008-09-09, 23:30
Okay, did everything (I hope) and got a report back.
Here is the Combofix report and other reports will follow:
ComboFix 08-09-05.12 - Mark Steinway 2008-09-09 14:13:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1372 [GMT -5:00]
Running from: C:\Documents and Settings\Mark Steinway\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Steinway\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\junk.dum
C:\WINDOWS\cookies.ini
C:\WINDOWS\elkg.exe
C:\WINDOWS\system32\avdyrbyx.ini
C:\WINDOWS\system32\bitkcvmm.dll
C:\WINDOWS\system32\byXQGVpn.dll
C:\WINDOWS\system32\cplyiwkg.ini
C:\WINDOWS\system32\csjhwdnj.dll
C:\WINDOWS\system32\cwyfneqx.ini
C:\WINDOWS\system32\frzdve.dll
C:\WINDOWS\system32\gkwiylpc.dll
C:\WINDOWS\system32\hptstjkb.ini
C:\WINDOWS\system32\idedck.dll
C:\WINDOWS\system32\jmjdzf.dll
C:\WINDOWS\system32\jndwhjsc.ini
C:\WINDOWS\system32\kebpnf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfrvmtil.dll
C:\WINDOWS\system32\mhmsjsbp.dll
C:\WINDOWS\system32\mkghj.dll
C:\WINDOWS\system32\npVGQXyb.ini
C:\WINDOWS\system32\npVGQXyb.ini2
C:\WINDOWS\system32\qmssjv.dll
C:\WINDOWS\system32\qnamvhdg.ini
C:\WINDOWS\system32\qwpafqua.dll
C:\WINDOWS\system32\tqxtcgnm.dll
C:\WINDOWS\system32\xvowrxjh.ini
----- BITS: Possible infected sites -----
http://www.flickr.com
http://farm4.static.flickr.com
http://farm3.static.flickr.com
.
((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.
2008-09-09 13:45 . 2008-09-09 13:45 <DIR> d-------- C:\Program Files\CCleaner
2008-09-08 18:55 . 2008-09-08 18:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 14:58 . 2007-04-25 12:21 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-09-08 14:58 . 2008-09-08 14:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-07 23:54 . 2008-09-08 00:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 23:54 . 2008-09-08 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 23:25 . 2008-09-07 23:25 12,609 --a------ C:\WINDOWS\DNAPrinters.ini
2008-09-06 18:41 . 2008-09-06 18:41 <DIR> d-------- C:\Documents and Settings\Mark Steinway\Application Data\System Tweaker
2008-09-06 18:40 . 2008-09-06 19:04 <DIR> d-------- C:\Program Files\Uniblue
2008-09-06 11:23 . 2008-09-09 14:41 70,026 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-09-06 11:23 . 2008-09-09 14:41 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-09-06 11:23 . 2008-09-09 14:41 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-09-06 11:23 . 2008-09-09 14:41 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-09-06 11:23 . 2008-09-09 14:41 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-09-06 11:23 . 2008-09-09 14:41 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-09-06 11:23 . 2008-09-09 14:41 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-09-06 11:23 . 2008-09-09 14:41 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-09-05 13:29 . 2008-09-05 13:29 <DIR> d-------- C:\Documents and Settings\Mark Steinway\Application Data\CallingID
2008-09-05 13:26 . 2008-09-05 13:26 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-09-05 13:26 . 2008-04-10 10:39 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-09-05 13:23 . 2007-11-14 12:34 11,333,632 --a------ C:\WINDOWS\cfgmng32.exe
2008-09-05 13:23 . 2008-09-05 13:23 2,732,032 --a------ C:\WINDOWS\system32\win32cpr.dll
2008-09-05 13:23 . 2008-09-05 13:23 1,564,771 --a------ C:\WINDOWS\system32\winsflt.dll
2008-09-05 13:23 . 2007-11-14 12:34 1,212,416 --a------ C:\WINDOWS\system32\mdmcls32.exe
2008-09-05 13:23 . 2007-11-14 12:35 823,296 --a------ C:\WINDOWS\system32\svcprs32.exe
2008-09-05 13:22 . 2008-09-05 13:23 <DIR> d-------- C:\WINDOWS\rnapxs
2008-09-05 13:22 . 2007-11-14 12:26 1,830,912 --a------ C:\WINDOWS\system32\winsflte.dll
2008-09-05 13:22 . 2002-01-01 13:02 7,440 --a------ C:\WINDOWS\system32\sporder.dll
2008-09-05 08:23 . 2008-09-05 08:23 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-04 18:59 . 2008-09-01 11:21 167,936 --a------ C:\WINDOWS\system32\avm.cpl
2008-09-04 18:47 . 2008-09-04 23:23 586 --ahs---- C:\WINDOWS\system32\djitxday.ini
2008-09-04 18:39 . 2008-09-04 18:39 103,552 --a------ C:\WINDOWS\system32\bkjtstph.dll
2008-09-04 18:33 . 2008-08-28 15:57 3,262 --a------ C:\WINDOWS\system32\2.ico
2008-09-04 18:30 . 2008-09-04 18:30 34,176 --a------ C:\WINDOWS\system32\urqRLbYq.dll
2008-09-04 18:29 . 2008-08-28 14:57 167,424 --a------ C:\WINDOWS\system32\MSA.cpl
2008-09-04 18:29 . 2008-09-04 12:34 86,016 --a------ C:\WINDOWS\sxmaokgf.exe
2008-09-04 18:29 . 2008-08-28 15:57 3,262 --a------ C:\WINDOWS\system32\1.ico
2008-09-03 18:57 . 2008-09-03 19:20 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-03 11:59 . 2008-09-03 11:59 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-15 19:05 . 2008-09-07 23:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-15 19:05 . 2008-08-15 19:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-13 22:45 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 21:16 . 2008-08-12 21:16 <DIR> d-------- C:\Program Files\SuDokuV2
2008-08-12 21:16 . 2003-12-12 01:52 278,668 --a------ C:\WINDOWS\epsuninst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 00:04 --------- d-----w C:\Documents and Settings\Mark Steinway\Application Data\Uniblue
2008-09-06 22:37 --------- d-----w C:\Program Files\WA_UIFastTax
2008-09-05 18:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-05 18:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-05 18:26 --------- d-----w C:\Program Files\CA
2008-09-04 12:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-25 12:31 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-22 16:18 --------- d-----w C:\Documents and Settings\Mark Steinway\Application Data\U3
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-09 08:07 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 15:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 00:05 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-02-26 21:18 724,984 ----a-w C:\Documents and Settings\Mark Steinway\gotomypc_437.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA16164D-96D5-4ACB-BCF7-BA486B8ABC1A}]
2008-09-04 18:30 34176 --a------ C:\WINDOWS\system32\urqRLbYq.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 1923352]
"RCHotKey"="C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2008-03-12 32768]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 385024]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{DA16164D-96D5-4ACB-BCF7-BA486B8ABC1A}"= "C:\WINDOWS\system32\urqRLbYq.dll" [2008-09-04 34176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 13:10 18744 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqRLbYq]
2008-09-04 18:30 34176 C:\WINDOWS\system32\urqRLbYq.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"C:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"C:\\WINDOWS\\system32\\lxdfcoms.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\frun.exe"=
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\LXDFFax.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfwbgw.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
"<NO NAME>"=
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2008-03-19 93712]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2008-03-21 63504]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2008-03-21 45584]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2008-03-19 115216]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2008-06-04 134648]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2008-03-21 66576]
R2 lxdf_device;lxdf_device;C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 598960]
R2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 99248]
R2 NeatReceipts Database Controller;NeatReceipts Database Controller;C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [2008-02-05 228480]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2006-10-12 8192]
R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-04-15 281104]
R2 WinSvchostManager;WinSock Svchost Manager;C:\WINDOWS\system32\svcprs32.exe [2007-11-14 823296]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2008-05-30 88816]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 194048]
R3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-06-04 513152]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-01 29744]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 99200]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-12-18 18560]
S3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-04-10 185608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{25BE743D-A0D4-446D-B01B-9B93CFDDF0BB} - C:\WINDOWS\system32\byXQGVpn.dll
HKCU-Run-Uniblue SpeedUpMyPC - (no file)
HKLM-Run-ecc91cf8 - C:\WINDOWS\system32\gdhvmanq.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,SearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=zuzed004YYUS_ZZzer000&fl=0&ptb=yuE.jzdPEJ4.RxGDSBiB1A&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Search - ?p=zuzed004YYUS_ZZzer000
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 -: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 -: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 -: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O8 -: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 -: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O8 -: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 -: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 -: Set Fields - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 -: {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 -: {320AF880-6646-11D3-ABEE-C5DBF3571F52} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 -: {45DB34C3-955C-11D3-ABEF-444553540000} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 -: {45DB34C3-955C-11D3-ABEF-444553540001} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O16 -: {EE85A9FD-6E52-4227-BB82-D46A660690EA} - hxxps://service.ringcentral.com/ActiveX/RCAXSetup.cab
C:\WINDOWS\Downloaded Program Files\RCAXSetup.inf
C:\WINDOWS\system32\NPRCAS.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 15:01:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\urqRLbYq.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfserv.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-09-09 15:18:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-09 20:15:51
Pre-Run: 63,556,681,728 bytes free
Post-Run: 63,412,482,048 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
327 --- E O F --- 2008-09-04 12:38:42
Ccleaner Install List:
ABBYY FineReader 6.0 Sprint
Adobe Acrobat 8.1.2 Professional
Adobe Bridge 1.0
Adobe ExtendScript Toolkit 1.0
Adobe Production Studio
AI RoboForm (All Users)
Apple Mobile Device Support
Apple Software Update
Broadcom Management Programs
Business Contact Manager for Outlook 2007 SP1
CA Internet Security Suite
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Dell Support 3.2.1
Dell Support Center
Dell System Restore
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
FAS for Peachtree by Sage
Flickr Uploadr 2.5.0.15
FloorPlan 3D v11
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
HP Document Viewer 6.1
HP Driver Diagnostics
HP Extended Capabilities 6.1
HP Image Zone Express
HP Imaging Device Functions 7.0
HP Officejet All-In-One Series
HP Photosmart Premier Software 6.1
HP PSC & OfficeJet 5.3.B
HP PSC & OfficeJet 6.1.A
HP Solution Center 7.0
HP Update
HYDRA MP3 player
Intel(R) Graphics Media Accelerator Driver
iriver Music Manager
iRiver Updater
ItsDeductible Express
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Lexmark 6500 Series
Linksys EasyLink Advisor 1.6 (0033)
Live Search Maps Add-In for Microsoft Office Outlook
LiveReg (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
Mastersoft Mobile Solutions SuDokuV2
Maxtor Backup
Maxtor OneTouch III
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Accounting 2007
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office FrontPage 2003
Microsoft Office Professional 2007
Microsoft Office Small Business Connectivity Components
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Streets & Trips 2008
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser and SDK
Mobile Broadband Generic Drivers
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
NeatReceipts Professional
NeatScan To Office
NetWaiting
Ofoto Print@Home ActiveX Control
OpenMG Secure Module 4.7.00
OutlookAddinSetup
Palm Desktop and Synchronization Software
Peachtree Complete Accounting 2008
Peachtree Premium Accounting for Nonprofits 2007
Pervasive Software PSQL v9.1 Client
Pervasive System Analyzer v9.1
QuickBooks Premier: Accountant Edition 2007
QuickSet
QuickTime
RealPlayer
Rhapsody Player Engine
RingCentral Call Controller
Rosetta Stone V3 DEMO
Sage Software Integration Services
SearchAssist
Snapshot Viewer
Sonic Audio module
Sonic Copy Module
Sonic DLA
Sonic RecordNow Data
Sonic Update Manager
Sprint Mobile Broadband (Novatel Wireless)
Spybot - Search & Destroy
StompSoft Recover Lost Data
SupportSoft Assisted Service
Symantec pcAnywhere
Synaptics Pointing Device Driver
TurboTax Premier 2004
Uniblue RegistryBooster 2
Uniblue SpeedUpMyPC 3
Uniblue System Tweaker
URL Assistant
WebEx
WexTech AnswerWorks
Windows Desktop Search 3.01
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
WMAConvert 2.5.7
Yahoo! 工具列
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:52 PM, on 9/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070425
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {DA16164D-96D5-4ACB-BCF7-BA486B8ABC1A} - C:\WINDOWS\system32\urqRLbYq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [RCHotKey] "C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYUS_ZZzer000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Set Fields - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra 'Tools' menuitem: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/hmpr/HMPR_WIN_IE_1/wiaaut.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.pasadosafehaven.org/Remote/msrdp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eval.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - https://service.ringcentral.com/ActiveX/RCAXSetup.cab
O20 - Winlogon Notify: urqRLbYq - C:\WINDOWS\SYSTEM32\urqRLbYq.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 16840 bytes
Registry Cleaners
Re. Uniblue RegistryBooster 2
I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners:
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.
http://forums.whatthetech.com/Regcleaner_t42862.html
I recommend that you uninstall Uniblue RegistryBooster 2 from your computer.
Step # 1: Add/Remove Programs
You have some leftover Norton remnants that need to be removed.
Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.
LiveReg (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
Reboot your Computer.
Step # 2: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
File::
C:\WINDOWS\system32\djitxday.ini
C:\WINDOWS\system32\bkjtstph.dll
C:\WINDOWS\system32\urqRLbYq.dll
C:\WINDOWS\system32\MSA.cpl
C:\WINDOWS\sxmaokgf.exe
C:\WINDOWS\system32\1.ico
C:\WINDOWS\system32\2.ico
DirLook::
C:\WINDOWS\rnapxs
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA16164D-96D5-4ACB-BCF7-BA486B8ABC1A}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{DA16164D-96D5-4ACB-BCF7-BA486B8ABC1A}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqRLbYq]
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on mark in nola's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. ComboFix Log that appears after Step 2 has been completed.
2. A fresh HiJackThis Log taken after Step 2 has been completed.
mark_in_nola
2008-09-10, 06:49
Was running the combofix and had to leave for dinner. Came back and my computer went into hibernate and the process was frozen. Tried running again, but it wouldn't work right. Finally when I rebooted and went through the whole process again, everything worked. I hope this gives you what you need:
Combofix log file:
ComboFix 08-09-05.12 - Mark Steinway 2008-09-09 22:06:01.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1563 [GMT -5:00]
Running from: C:\Documents and Settings\Mark Steinway\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Steinway\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\sxmaokgf.exe
C:\WINDOWS\system32\1.ico
C:\WINDOWS\system32\2.ico
C:\WINDOWS\system32\awtutrpq.dll
C:\WINDOWS\system32\bkjtstph.dll
C:\WINDOWS\system32\djitxday.ini
C:\WINDOWS\system32\dtwgmsxk.ini
C:\WINDOWS\system32\kxsmgwtd.dll
C:\WINDOWS\system32\MSA.cpl
C:\WINDOWS\system32\nbeitgcv.dll
C:\WINDOWS\system32\qprtutwa.ini
C:\WINDOWS\system32\qprtutwa.ini2
C:\WINDOWS\system32\urqRLbYq.dll
C:\WINDOWS\system32\vewbir.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.
2008-09-09 13:45 . 2008-09-09 13:45 <DIR> d-------- C:\Program Files\CCleaner
2008-09-08 18:55 . 2008-09-08 18:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 14:58 . 2007-04-25 12:21 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-09-08 14:58 . 2008-09-08 14:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-07 23:54 . 2008-09-08 00:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 23:54 . 2008-09-08 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 23:25 . 2008-09-07 23:25 12,609 --a------ C:\WINDOWS\DNAPrinters.ini
2008-09-06 18:41 . 2008-09-06 18:41 <DIR> d-------- C:\Documents and Settings\Mark Steinway\Application Data\System Tweaker
2008-09-06 18:40 . 2008-09-09 18:48 <DIR> d-------- C:\Program Files\Uniblue
2008-09-06 11:23 . 2008-09-09 22:15 163,682 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-09-06 11:23 . 2008-09-09 22:15 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-09-06 11:23 . 2008-09-09 22:15 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-09-06 11:23 . 2008-09-09 22:15 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-09-06 11:23 . 2008-09-09 22:15 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-09-06 11:23 . 2008-09-09 22:15 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-09-06 11:23 . 2008-09-09 22:15 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-09-06 11:23 . 2008-09-09 22:15 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-09-05 13:29 . 2008-09-05 13:29 <DIR> d-------- C:\Documents and Settings\Mark Steinway\Application Data\CallingID
2008-09-05 13:26 . 2008-09-05 13:26 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-09-05 13:26 . 2008-04-10 10:39 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-09-05 13:23 . 2007-11-14 12:34 11,333,632 --a------ C:\WINDOWS\cfgmng32.exe
2008-09-05 13:23 . 2008-09-05 13:23 2,732,032 --a------ C:\WINDOWS\system32\win32cpr.dll
2008-09-05 13:23 . 2008-09-05 13:23 1,564,771 --a------ C:\WINDOWS\system32\winsflt.dll
2008-09-05 13:23 . 2007-11-14 12:34 1,212,416 --a------ C:\WINDOWS\system32\mdmcls32.exe
2008-09-05 13:23 . 2007-11-14 12:35 823,296 --a------ C:\WINDOWS\system32\svcprs32.exe
2008-09-05 13:22 . 2008-09-05 13:23 <DIR> d-------- C:\WINDOWS\rnapxs
2008-09-05 13:22 . 2007-11-14 12:26 1,830,912 --a------ C:\WINDOWS\system32\winsflte.dll
2008-09-05 13:22 . 2002-01-01 13:02 7,440 --a------ C:\WINDOWS\system32\sporder.dll
2008-09-05 08:23 . 2008-09-05 08:23 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-04 18:59 . 2008-09-01 11:21 167,936 --a------ C:\WINDOWS\system32\avm.cpl
2008-09-03 18:57 . 2008-09-03 19:20 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-03 11:59 . 2008-09-03 11:59 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-15 19:05 . 2008-09-07 23:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-15 19:05 . 2008-08-15 19:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-13 22:45 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 21:16 . 2008-08-12 21:16 <DIR> d-------- C:\Program Files\SuDokuV2
2008-08-12 21:16 . 2003-12-12 01:52 278,668 --a------ C:\WINDOWS\epsuninst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 23:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-07 00:04 --------- d-----w C:\Documents and Settings\Mark Steinway\Application Data\Uniblue
2008-09-06 22:37 --------- d-----w C:\Program Files\WA_UIFastTax
2008-09-05 18:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-05 18:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-05 18:26 --------- d-----w C:\Program Files\CA
2008-09-04 12:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-25 12:31 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-22 16:18 --------- d-----w C:\Documents and Settings\Mark Steinway\Application Data\U3
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 15:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 00:05 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-02-26 21:18 724,984 ----a-w C:\Documents and Settings\Mark Steinway\gotomypc_437.exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\rnapxs ----
2008-09-09 21:29 92630 --a------ C:\WINDOWS\rnapxs\logs\20080909.plf
2008-09-09 19:11 491520 --a------ C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
2008-09-09 19:11 1110016 --a------ C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.idx
2008-09-09 18:55 61440 --a------ C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.dat
2008-09-09 18:55 110592 --a------ C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.idx
2008-09-08 22:45 107678 --a------ C:\WINDOWS\rnapxs\logs\20080908.plf
2008-09-08 18:24 36 --a------ C:\WINDOWS\rnapxs\StLst\rutops.dat
2008-09-07 23:53 84539 --a------ C:\WINDOWS\rnapxs\logs\20080907.plf
2008-09-06 19:02 271184 --a------ C:\WINDOWS\rnapxs\logs\20080906.plf
2008-09-05 23:47 2642 --a------ C:\WINDOWS\rnapxs\logs\20080905.plf
2008-09-05 14:10 4771032 --a------ C:\WINDOWS\rnapxs\StLst\icnStLst
2008-09-05 13:23 30720 --ahs---- C:\WINDOWS\rnapxs\rnapxs.dat
2007-03-07 13:56 12047 --a------ C:\WINDOWS\rnapxs\CSDK\data\dic
2006-01-11 15:05 2028519 --a------ C:\WINDOWS\rnapxs\CSDK\data\n00
2006-01-11 15:05 191 --a------ C:\WINDOWS\rnapxs\CSDK\data\enc
2006-01-11 15:05 1708978 --a------ C:\WINDOWS\rnapxs\CSDK\data\n01
((((((((((((((((((((((((((((( snapshot@2008-09-09_15.11.03.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-09 19:14:35 61,440 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.dat
+ 2008-09-09 23:55:07 61,440 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.dat
- 2008-09-09 19:14:35 483,328 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
+ 2008-09-10 00:11:37 491,520 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3bdf6ce4-ea09-4000-92ed-d020bd7ad7cb}]
C:\WINDOWS\system32\vewbir.dll [BU]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2D12CAE-9BD0-409D-A443-EDC0A689C7CF}]
C:\WINDOWS\system32\awtutrpq.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]
"RCHotKey"="C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2008-03-12 32768]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 385024]
"ecc91cf8"="C:\WINDOWS\system32\kxsmgwtd.dll" [BU]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=vewbir.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"C:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"C:\\WINDOWS\\system32\\lxdfcoms.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\frun.exe"=
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\LXDFFax.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfwbgw.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
"<NO NAME>"=
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2008-03-19 93712]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2008-03-21 63504]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2008-03-21 45584]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2008-03-19 115216]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2008-06-04 134648]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2008-03-21 66576]
R2 lxdf_device;lxdf_device;C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 598960]
R2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 99248]
R2 NeatReceipts Database Controller;NeatReceipts Database Controller;C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [2008-02-05 228480]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2006-10-12 8192]
R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-04-15 281104]
R2 WinSvchostManager;WinSock Svchost Manager;C:\WINDOWS\system32\svcprs32.exe [2007-11-14 823296]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2008-05-30 88816]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 194048]
R3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-06-04 513152]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-01 29744]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 99200]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-12-18 18560]
S3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-04-10 185608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 22:20:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfserv.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\mdmcls32.exe
.
**************************************************************************
.
Completion time: 2008-09-09 22:33:09 - machine was rebooted [Mark Steinway]
ComboFix-quarantined-files.txt 2008-09-10 03:32:43
ComboFix2.txt 2008-09-09 20:18:27
Pre-Run: 63,771,672,576 bytes free
Post-Run: 63,762,665,472 bytes free
287 --- E O F --- 2008-09-04 12:38:42
New HJT log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:47 PM, on 9/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070425
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: {bc7da7db-020d-de29-0004-90ae4ec6fdb3} - {3bdf6ce4-ea09-4000-92ed-d020bd7ad7cb} - C:\WINDOWS\system32\vewbir.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A2D12CAE-9BD0-409D-A443-EDC0A689C7CF} - C:\WINDOWS\system32\awtutrpq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc91cf8] rundll32.exe "C:\WINDOWS\system32\kxsmgwtd.dll",b
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [RCHotKey] "C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYUS_ZZzer000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Set Fields - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra 'Tools' menuitem: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/hmpr/HMPR_WIN_IE_1/wiaaut.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.pasadosafehaven.org/Remote/msrdp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eval.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - https://service.ringcentral.com/ActiveX/RCAXSetup.cab
O20 - AppInit_DLLs: vewbir.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 16782 bytes
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u7 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 3: Run CFScript
Delete CFScript.txt from your Desktop, you will be creating and running a new one.
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3bdf6ce4-ea09-4000-92ed-d020bd7ad7cb}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2D12CAE-9BD0-409D-A443-EDC0A689C7CF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ecc91cf8"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on mark in nola's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Step # 4 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 3 has been completed.
2. MalwareBytes' Log
3. A fresh HijackThis Log taken after all steps have been completed.
mark_in_nola
2008-09-10, 21:05
First of all, thank you so much for continuing to help me. You guys rock! And I will definitely donate whatever I can to help out spybot. Now for the latest scans:
ComboFix Log:
ComboFix 08-09-05.12 - Mark Steinway 2008-09-10 12:19:57.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1576 [GMT -5:00]
Running from: C:\Documents and Settings\Mark Steinway\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Steinway\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.
2008-09-10 12:07 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-10 12:06 . 2008-09-10 12:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-09 13:45 . 2008-09-09 13:45 <DIR> d-------- C:\Program Files\CCleaner
2008-09-08 18:55 . 2008-09-08 18:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 14:58 . 2007-04-25 12:21 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-09-08 14:58 . 2008-09-08 14:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-07 23:54 . 2008-09-08 00:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 23:54 . 2008-09-08 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 23:25 . 2008-09-07 23:25 12,609 --a------ C:\WINDOWS\DNAPrinters.ini
2008-09-06 18:41 . 2008-09-06 18:41 <DIR> d-------- C:\Documents and Settings\Mark Steinway\Application Data\System Tweaker
2008-09-06 18:40 . 2008-09-09 18:48 <DIR> d-------- C:\Program Files\Uniblue
2008-09-06 11:23 . 2008-09-10 12:29 166,906 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-09-06 11:23 . 2008-09-10 12:29 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-09-06 11:23 . 2008-09-10 12:29 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-09-06 11:23 . 2008-09-10 12:29 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-09-06 11:23 . 2008-09-10 12:29 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-09-06 11:23 . 2008-09-10 12:29 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-09-06 11:23 . 2008-09-10 12:29 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-09-06 11:23 . 2008-09-10 12:29 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-09-05 13:29 . 2008-09-05 13:29 <DIR> d-------- C:\Documents and Settings\Mark Steinway\Application Data\CallingID
2008-09-05 13:26 . 2008-09-05 13:26 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-09-05 13:26 . 2008-04-10 10:39 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-09-05 13:23 . 2007-11-14 12:34 11,333,632 --a------ C:\WINDOWS\cfgmng32.exe
2008-09-05 13:23 . 2008-09-05 13:23 2,732,032 --a------ C:\WINDOWS\system32\win32cpr.dll
2008-09-05 13:23 . 2008-09-05 13:23 1,564,771 --a------ C:\WINDOWS\system32\winsflt.dll
2008-09-05 13:23 . 2007-11-14 12:34 1,212,416 --a------ C:\WINDOWS\system32\mdmcls32.exe
2008-09-05 13:23 . 2007-11-14 12:35 823,296 --a------ C:\WINDOWS\system32\svcprs32.exe
2008-09-05 13:22 . 2008-09-05 13:23 <DIR> d-------- C:\WINDOWS\rnapxs
2008-09-05 13:22 . 2007-11-14 12:26 1,830,912 --a------ C:\WINDOWS\system32\winsflte.dll
2008-09-05 13:22 . 2002-01-01 13:02 7,440 --a------ C:\WINDOWS\system32\sporder.dll
2008-09-05 08:23 . 2008-09-05 08:23 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-04 18:59 . 2008-09-01 11:21 167,936 --a------ C:\WINDOWS\system32\avm.cpl
2008-09-03 18:57 . 2008-09-03 19:20 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-03 11:59 . 2008-09-03 11:59 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-15 19:05 . 2008-09-07 23:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-15 19:05 . 2008-08-15 19:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-13 22:45 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 21:16 . 2008-08-12 21:16 <DIR> d-------- C:\Program Files\SuDokuV2
2008-08-12 21:16 . 2003-12-12 01:52 278,668 --a------ C:\WINDOWS\epsuninst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 17:07 --------- d-----w C:\Program Files\Java
2008-09-10 16:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-09 23:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-07 00:04 --------- d-----w C:\Documents and Settings\Mark Steinway\Application Data\Uniblue
2008-09-06 22:37 --------- d-----w C:\Program Files\WA_UIFastTax
2008-09-05 18:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-05 18:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-05 18:26 --------- d-----w C:\Program Files\CA
2008-08-25 12:31 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-22 16:18 --------- d-----w C:\Documents and Settings\Mark Steinway\Application Data\U3
2008-02-26 21:18 724,984 ----a-w C:\Documents and Settings\Mark Steinway\gotomypc_437.exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\rnapxs ----
2008-09-10 12:19 61440 --a------ C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.dat
2008-09-10 12:19 499712 --a------ C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
2008-09-10 12:19 118784 --a------ C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.idx
2008-09-10 12:19 1118208 --a------ C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.idx
2008-09-10 12:18 13326 --a------ C:\WINDOWS\rnapxs\logs\20080910.plf
2008-09-09 23:05 98385 --a------ C:\WINDOWS\rnapxs\logs\20080909.plf
2008-09-08 22:45 107678 --a------ C:\WINDOWS\rnapxs\logs\20080908.plf
2008-09-08 18:24 36 --a------ C:\WINDOWS\rnapxs\StLst\rutops.dat
2008-09-07 23:53 84539 --a------ C:\WINDOWS\rnapxs\logs\20080907.plf
2008-09-06 19:02 271184 --a------ C:\WINDOWS\rnapxs\logs\20080906.plf
2008-09-05 23:47 2642 --a------ C:\WINDOWS\rnapxs\logs\20080905.plf
2008-09-05 14:10 4771032 --a------ C:\WINDOWS\rnapxs\StLst\icnStLst
2008-09-05 13:23 30720 --ahs---- C:\WINDOWS\rnapxs\rnapxs.dat
2007-03-07 13:56 12047 --a------ C:\WINDOWS\rnapxs\CSDK\data\dic
2006-01-11 15:05 2028519 --a------ C:\WINDOWS\rnapxs\CSDK\data\n00
2006-01-11 15:05 191 --a------ C:\WINDOWS\rnapxs\CSDK\data\enc
2006-01-11 15:05 1708978 --a------ C:\WINDOWS\rnapxs\CSDK\data\n01
((((((((((((((((((((((((((((( snapshot@2008-09-09_15.11.03.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-15 02:45:58 16,901,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6215\MSO.DLL
+ 2007-08-29 05:19:24 1,654,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6215\OGL.DLL
- 2008-09-04 12:23:06 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-09-10 16:41:41 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2008-09-04 12:23:08 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-09-10 16:41:42 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-09-04 12:23:07 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2008-09-10 16:41:42 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
- 2008-09-04 12:23:08 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-09-10 16:41:42 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-09-04 12:23:09 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-09-10 16:41:43 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-09-04 12:23:06 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-09-10 16:41:42 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2008-09-04 12:23:07 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-09-10 16:41:42 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2008-09-04 12:23:07 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-09-10 16:41:42 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2008-09-04 12:23:08 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-09-10 16:41:43 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-09-04 12:23:06 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-09-10 16:41:41 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-08-25 12:31:07 12,288 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-09-10 16:40:18 12,288 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-08-25 12:31:07 282,624 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\fpicon.exe
+ 2008-09-10 16:40:18 282,624 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\fpicon.exe
- 2008-08-25 12:31:07 135,168 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-09-10 16:40:19 135,168 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-08-25 12:31:08 27,136 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-09-10 16:40:19 27,136 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-08-25 12:31:08 4,096 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-09-10 16:40:19 4,096 ----a-r C:\WINDOWS\Installer\{91170409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-09-09 19:14:35 61,440 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.dat
+ 2008-09-10 17:19:44 61,440 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.dat
- 2008-09-09 19:14:35 483,328 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
+ 2008-09-10 17:19:44 499,712 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
- 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-08-05 16:11:02 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-26 20:28:12 16,208,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-10-19 02:47:20 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
+ 2008-06-24 23:12:58 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3bdf6ce4-ea09-4000-92ed-d020bd7ad7cb}]
C:\WINDOWS\system32\vewbir.dll [BU]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2D12CAE-9BD0-409D-A443-EDC0A689C7CF}]
C:\WINDOWS\system32\awtutrpq.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]
"RCHotKey"="C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2008-03-12 32768]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 385024]
"ecc91cf8"="C:\WINDOWS\system32\kxsmgwtd.dll" [BU]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=vewbir.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"C:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"C:\\WINDOWS\\system32\\lxdfcoms.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\frun.exe"=
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\LXDFFax.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfwbgw.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
"<NO NAME>"=
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2008-03-19 93712]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2008-03-21 63504]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2008-03-21 45584]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2008-03-19 115216]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2008-06-04 134648]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2008-03-21 66576]
R2 lxdf_device;lxdf_device;C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 598960]
R2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 99248]
R2 NeatReceipts Database Controller;NeatReceipts Database Controller;C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [2008-02-05 228480]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2006-10-12 8192]
R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-04-15 281104]
R2 WinSvchostManager;WinSock Svchost Manager;C:\WINDOWS\system32\svcprs32.exe [2007-11-14 823296]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2008-05-30 88816]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 194048]
R3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-06-04 513152]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-01 29744]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 99200]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-12-18 18560]
S3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-04-10 185608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 12:34:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfserv.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\mdmcls32.exe
.
**************************************************************************
.
Completion time: 2008-09-10 12:46:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-10 17:45:48
ComboFix2.txt 2008-09-10 03:33:11
ComboFix3.txt 2008-09-09 20:18:27
Pre-Run: 63,458,869,248 bytes free
Post-Run: 63,450,628,096 bytes free
280 --- E O F --- 2008-09-10 16:44:04
MalwareBytes' Log:
Malwarebytes' Anti-Malware 1.28
Database version: 1137
Windows 5.1.2600 Service Pack 2
9/10/2008 12:59:37 PM
mbam-log-2008-09-10 (12-59-37).txt
Scan type: Quick Scan
Objects scanned: 57639
Time elapsed: 6 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3bdf6ce4-ea09-4000-92ed-d020bd7ad7cb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3bdf6ce4-ea09-4000-92ed-d020bd7ad7cb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecc91cf8 (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Mark Steinway\Start Menu\Programs\Registry Defender Platinum (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\vewbir.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avm.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:42 PM, on 9/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070425
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A2D12CAE-9BD0-409D-A443-EDC0A689C7CF} - C:\WINDOWS\system32\awtutrpq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [RCHotKey] "C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYUS_ZZzer000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Set Fields - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra 'Tools' menuitem: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/hmpr/HMPR_WIN_IE_1/wiaaut.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.pasadosafehaven.org/Remote/msrdp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eval.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - https://service.ringcentral.com/ActiveX/RCAXSetup.cab
O20 - AppInit_DLLs: vewbir.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 16717 bytes
Step # 1: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {A2D12CAE-9BD0-409D-A443-EDC0A689C7CF} - C:\WINDOWS\system32\awtutrpq.dll (file missing)
O8 - Extra context menu item: &Search - ?p=zuzed004YYUS_ZZzer000
O20 - AppInit_DLLs: vewbir.dll
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 2: Deleting Files/Folders
I need you to use Windows Explorer to delete the file I have marked in Red(if found):
C:\WINDOWS\system32\awtutrpq.dll
Step # 3: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
mark_in_nola
2008-09-11, 08:19
Not sure if this posted before. Sorry if this is duplicate. Computer is running okay....a little faster. Have been minimizing IE use, so I can't give you a comprehensive assessment. Here are reports:
Kapersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 10, 2008 22:12:13
Records in database: 1209222
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 135867
Threat name: 12
Infected objects: 15
Suspicious objects: 13
Duration of the scan: 04:14:18
File name / Threat name / Threats count
C:\Documents and Settings\Mark Steinway\My Documents\PSH\Hurricane Katrina\Claudia's Folder\Outlook from LA Laptop.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Mark Steinway\My Documents\PSH\Outlook Files\backup.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 10
C:\Documents and Settings\Mark Steinway\My Documents\PSH\Outlook Files\backup.pst Infected: Trojan-Spy.HTML.Bayfraud.hn 2
C:\Documents and Settings\Mark Steinway\My Documents\PSH\Outlook Files\backup.pst Infected: Trojan-Spy.HTML.Paylap.ep 1
C:\Documents and Settings\Mark Steinway\My Documents\PSH\Outlook Files\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\junk.dum.vir Infected: Trojan.Win32.Agent.abux 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bkjtstph.dll.vir Infected: Trojan.Win32.Monder.mde 1
C:\QooBox\Quarantine\C\WINDOWS\system32\csjhwdnj.dll.vir Infected: Trojan.Win32.Monder.mfx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\frzdve.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dpl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gkwiylpc.dll.vir Infected: Trojan.Win32.Monder.mxs 1
C:\QooBox\Quarantine\C\WINDOWS\system32\idedck.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dpp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jmjdzf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dlj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kxsmgwtd.dll.vir Infected: Trojan.Win32.Monder.mxs 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mfrvmtil.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dlj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mhmsjsbp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dpl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\MSA.cpl.vir Infected: not-a-virus:FraudTool.Win32.MSAntivirus.r 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qwpafqua.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dpp 1
The selected area was scanned.
Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:20 PM, on 9/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdfserv.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070425
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [RCHotKey] "C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Logoff - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: RoboForm Options - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Set Fields - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra 'Tools' menuitem: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/hmpr/HMPR_WIN_IE_1/wiaaut.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.pasadosafehaven.org/Remote/msrdp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eval.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - https://service.ringcentral.com/ActiveX/RCAXSetup.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 16413 bytes
Open up Outlook and delete all e-mails in your Inbox that you no longer need. Also be sure to clear out all e-mails in the Deleted Items and Junk/Spam/Bulk folders as well.
Go ahead and use IE for the next couple of days and then let me know if things are looking good or if you are getting pop-ups, slowdown, or redirects. Anything that shouldn't be happening when you use IE. And if everything is running fine after 2-3 days, let me know that as well. :)
mark_in_nola
2008-09-11, 18:53
Thanks. I'll reply again in a couple days.
mark_in_nola
2008-09-11, 19:56
I'm having problems with my accounting program. Anything that we deleted that may have affected that? It's under Sage Software in Program Files. I know it uses a Pervasive database engine. Any ideas?
I'm having problems with my accounting program. Anything that we deleted that may have affected that? It's under Sage Software in Program Files. I know it uses a Pervasive database engine. Any ideas?
Looking back over what you've posted, I don't see anything that we deleted that could cause problems with your accounting program. Everything that we've deleted has been malicious.
Have you tried uninstalling then reinstalling the program?
You can also try contacting Sage's Tech Support (http://www.sage.com/customersupport.php)
mark_in_nola
2008-09-11, 23:51
I don't have my Peachtree discs here - will have to commute tomorrow to get the discs and reinstall. Tried to do a "repair", but something is corrupted and it doesn't do anything.
Another problem I'm having is when this whole thing hit me a week ago, I bought and downloaded CA's full version of Internet Security Suite Plus 2008 (don't laugh). Of course it didn't work and through several other steps ended up finding spybot (thank god!). Ever since I installed CA ISS, my Outlook 2007 has been prompting me for my password every frickin' time I send/receive. Big pain in the you-know-what. I uninstalled all of ISS except for antivirus, but still having the problems. Online with CA, they even did a complete uninstall of the entire ISS, including antivirus....and I still have the problem. I never had this problem before and they're insisting it's not their problem (typical). Any ideas? I went to Gmail and they haven't changed anything - checked all my settings and they seem good. I even went into Outlook and deleted my old mail account and created a new one from scratch....still being required to enter password. Aaaarrrgggghhhhh!
Did some research on your problem with Outlook 2007 and found some links, you can check them to see if they are helpful or not:
http://office.microsoft.com/en-us/outlook/HA101513541033.aspx
http://help.wugnet.com/office/Outlook-2007-Enter-network-password-prompt-ftopict1054103.html
http://www.google.com/search?hl=en&q=outlook+2007+password+prompt&aq=7&oq=Outlook+2007+pa
The last one is a Google search you can use to look through some more links to see if you can find a solution.
mark_in_nola
2008-09-15, 19:53
None of my financial programs work. I use both Peachtree and Quickbooks and neither will work. I haven't tried uninstalling and reinstalling Quickbooks yet, but I did try that with Peachtree to no avail. Also, I use an online payroll program with ADP and that won't work either. I can't even go to the page required to login, even though I've put it in my trusted sites. What the **** is going on????? Help! I'm sunk without access to these programs - this is my occupation. Thanks for any help you can give.
Mark
Go ahead and try uninstalling and reinstalling Quickbooks to see if that will work. When you try to install/re-install Peachtree does it give you any error messages?
I'm gonna have you do a scan on your computer to see if I can find anything that could possibly be causing this. If the scan comes up with nothing/I don't find anything I'll ask my fellow helpers/collegues if they can suggest anything to help you out with your situation.
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
mark_in_nola? How are things coming along?
This topic has been archived due to inactivity.
As it has been five days or more since your last post, and I have posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.