View Full Version : Google Redirect Virus
I've been trying to get rid of a virus that redirects me when I click on a link after a Google search...so far, unsuccessfully. In searching the web, this seems to be a pretty common problem, but finding the right solution has eluded me.
I've run Spybot (clean), Malwarebytes Anti-malware (clean) and a couple of other virus scans. So far, no luck.
Here is the log from running HJT:
Logfile of HijackThis v1.99.1
Scan saved at 9:14:57 PM, on 9/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\ApMsgFwd.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Apoint\HidFind.exe
D:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "d:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [HOILBOGL] %systemroot%\HOILBOGL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: DscWeb - {01F09ABF-3225-817C-CC45-04F1C90A3081} - C:\Program Files\tjocub\DscWeb.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Any help that you could provided in solving this problem would be greatly appreciated.
Thank you.
Hi
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Thanks for your help. I've run both the combofix and hjt. Here are the logs:
Logfile of HijackThis v1.99.1
Scan saved at 12:27:26 PM, on 9/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Apoint\Apntex.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Apoint\HidFind.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\r_server.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "d:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: DscWeb - {01F09ABF-3225-817C-CC45-04F1C90A3081} - C:\Program Files\tjocub\DscWeb.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Combofix:
ComboFix 08-09-24.08 - Steve Froning 2008-09-27 12:21:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1431 [GMT -6:00]
Running from: C:\Documents and Settings\Steve Froning\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Steve Froning\Cookies\steve_froning@insightexpressai[1].txt
C:\Documents and Settings\Steve Froning\Cookies\steve_froning@revsci[1].txt
C:\Documents and Settings\Steve Froning\Cookies\steve_froning@track.bestbuy[1].txt
C:\Documents and Settings\Steve Froning\Cookies\steve_froning@turn[2].txt
.
((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.
2008-09-18 22:25 . 2008-09-18 22:25 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLck.DAT
2008-09-18 22:00 . 2008-09-18 22:00 0 --a------ C:\WINDOWS\ViewNX.INI
2008-09-18 21:48 . 2008-09-18 22:25 <DIR> d-------- C:\Documents and Settings\Steve Froning\Application Data\Nikon
2008-09-18 21:47 . 2008-06-12 10:29 6,475,096 --a------ C:\WINDOWS\system32\NEFcodec.dll
2008-09-18 21:47 . 2008-01-10 10:16 200,704 -ra------ C:\WINDOWS\system32\Strato7.dll
2008-09-18 21:47 . 2008-01-10 10:51 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2008-09-18 21:47 . 2008-09-18 22:25 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLbx.DAT
2008-09-18 21:42 . 2008-09-18 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Radio Sounds
2008-09-18 21:42 . 2008-09-18 22:23 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-18 21:41 . 2008-09-18 21:53 <DIR> d-------- C:\Program Files\Common Files\Nikon
2008-09-18 21:41 . 2008-09-18 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nikon
2008-09-18 21:40 . 2008-09-18 21:47 <DIR> d-------- C:\Program Files\Nikon
2008-09-18 21:40 . 2008-09-18 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15
2008-09-18 21:40 . 2008-09-18 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Plug-Ins
2008-09-18 21:40 . 2008-09-18 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp
2008-09-18 21:40 . 2008-09-18 22:24 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-17 23:20 . 2008-09-17 23:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-17 23:20 . 2008-09-17 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-13 22:59 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-13 22:58 . 2008-09-13 22:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-13 22:58 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-13 22:22 . 2008-09-13 22:22 <DIR> d-------- C:\Documents and Settings\Steve Froning\Application Data\Talkback
2008-09-13 22:22 . 2008-09-13 22:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-13 22:00 . 2008-09-24 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-13 20:56 . 2008-09-13 20:56 <DIR> d-------- C:\Documents and Settings\Steve Froning\Application Data\RegFixPro
2008-09-13 20:43 . 2008-09-13 22:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-10 21:51 . 2008-09-10 21:52 <DIR> d-------- C:\Program Files\iTunes
2008-09-10 21:51 . 2008-09-10 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-10 21:50 . 2008-09-10 21:50 <DIR> d-------- C:\Program Files\Bonjour
2008-09-10 21:49 . 2008-09-10 21:50 <DIR> d-------- C:\Program Files\QuickTime
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-09-01 20:24 . 2004-08-04 04:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-01 15:58 . 2008-09-01 15:58 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-01 15:58 . 2008-09-01 15:58 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-01 15:58 . 2008-09-01 15:58 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-01 15:57 . 2008-09-01 15:57 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-01 15:56 . 2008-09-01 15:56 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll
2008-08-28 23:46 . 2008-04-13 18:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-18 05:40 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-14 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\lszsnwlk
2008-09-14 04:37 --------- d-----w C:\Program Files\Full Tilt Poker
2008-09-14 04:34 --------- d-----w C:\Program Files\Google
2008-09-11 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-11 03:51 --------- d-----w C:\Program Files\iPod
2008-09-11 03:49 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-24 23:43 --------- d-----w C:\Program Files\Java
2008-08-24 23:36 --------- d-----w C:\Program Files\Apple Software Update
2008-08-24 19:16 --------- d-----w C:\Documents and Settings\Steve Froning\Application Data\Malwarebytes
2008-08-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-24 04:10 --------- d-----w C:\Program Files\tjocub
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 04:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 04:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-28 8429568]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 1392640]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-25 159744]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="d:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="D:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2005-06-13 192512]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 406016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-29 185896]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"nwiz"="nwiz.exe" [2007-04-28 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-04-28 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-04-28 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 C:\WINDOWS\stsystra.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
C:\Documents and Settings\Steve Froning\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-11 2150400]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2007-10-07 49220]
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-06-05 479232]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DscWeb"= {01F09ABF-3225-817C-CC45-04F1C90A3081} - C:\Program Files\tjocub\DscWeb.dll [2008-08-23 110592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"D:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"D:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"D:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"D:\\Program Files\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R2 r_server;Remote Administrator Service;C:\WINDOWS\system32\r_server.exe [2005-06-21 724992]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-HOILBOGL - C:\WINDOWS\HOILBOGL.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Steve Froning\Application Data\Mozilla\Firefox\Profiles\hc40a851.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 12:23:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-27 12:24:32
ComboFix-quarantined-files.txt 2008-09-27 18:24:29
Pre-Run: 2,226,798,592 bytes free
Post-Run: 2,662,830,080 bytes free
174 --- E O F --- 2008-09-24 03:54:32
If I did something incorrectly, please bear with me...
Thanks in advance for your help.
Hi
I think you did it correctly :)
Upload following file to http://www.virustotal.com and post back the results:
C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
Start hjt, do a system scan, check following entries if not set by yourself (if found):
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
Close browsers and fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Documents and Settings\All Users\Application Data\lszsnwlk
C:\Program Files\tjocub
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DscWeb"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.
File DLARTL_M.SYS received on 08.25.2008 18:35:04 (CET)
Current status: finished
Result: 0/36 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.25 -
AntiVir 7.8.1.23 2008.08.25 -
Authentium 5.1.0.4 2008.08.25 -
Avast 4.8.1195.0 2008.08.25 -
AVG 8.0.0.161 2008.08.25 -
BitDefender 7.2 2008.08.25 -
CAT-QuickHeal 9.50 2008.08.25 -
ClamAV 0.93.1 2008.08.25 -
DrWeb 4.44.0.09170 2008.08.25 -
eSafe 7.0.17.0 2008.08.24 -
eTrust-Vet 31.6.6044 2008.08.23 -
Ewido 4.0 2008.08.25 -
F-Prot 4.4.4.56 2008.08.25 -
F-Secure 7.60.13501.0 2008.08.25 -
Fortinet 3.14.0.0 2008.08.25 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.25 -
K7AntiVirus 7.10.427 2008.08.23 -
Kaspersky 7.0.0.125 2008.08.25 -
McAfee 5369 2008.08.25 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3385 2008.08.25 -
Norman 5.80.02 2008.08.25 -
Panda 9.0.0.4 2008.08.25 -
PCTools 4.4.2.0 2008.08.25 -
Prevx1 V2 2008.08.25 -
Rising 20.59.00.00 2008.08.25 -
Sophos 4.32.0 2008.08.25 -
Sunbelt 3.1.1575.1 2008.08.23 -
Symantec 10 2008.08.25 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.25 -
VBA32 3.12.8.4 2008.08.25 -
ViRobot 2008.8.25.1348 2008.08.25 -
VirusBuster 4.5.11.0 2008.08.25 -
Webwasher-Gateway 6.6.2 2008.08.25 -
Additional information
File size: 28184 bytes
MD5...: 91886fed52a3f9966207bce46cfd794f
SHA1..: d00ab0414ca0aa6da2a902b30a81c19efec31c89
SHA256: 808425c5eca163626ed23ec0bb203c77870932c23ad9feeb39fe907314bb3997
SHA512: 99f87b0c25111e683b2695de10991e53970e09c8609d180428576145f768715f
727d8d4561a933dbd5eed1b09a7e83a0ab0fb7f474ef135d450092eabb8eb854
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x11a25
timedatestamp.....: 0x44dcbf84 (Fri Aug 11 17:33:56 2006)
machinetype.......: 0x14c (I386)
( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x320 0x2836 0x2840 6.48 aa9bf31620920d3811b5021873911bec
.rdata 0x2b60 0x1fc 0x200 3.94 4014239820f792cfbf70096ffd97050c
.data 0x2d60 0x13f4 0x1400 0.03 89140483fb5a50968431cf2a9e6ee4a5
.edata 0x4160 0x79b 0x7a0 5.29 03c9478532bd0666bb4172e28e2d85ff
INIT 0x4900 0x4f6 0x500 5.20 43ec1be927d94f084ce605d38fea3cea
.rsrc 0x4e00 0x2b8 0x2c0 3.14 5beb7dec74ec8021f50ed0b0cfb67de5
.reloc 0x50c0 0x24c 0x260 5.64 07d7ab5b625d24eb0d522d2e80b7bdd4
( 2 imports )
> ntoskrnl.exe: ZwCreateFile, ZwClose, ZwReadFile, ZwWriteFile, ZwSetInformationFile, ZwQueryInformationFile, memset, ZwQueryVolumeInformationFile, _allmul, memcpy, RtlCompareMemory, ExAllocatePoolWithTag, ExFreePoolWithTag, _wcsicmp, strlen, _strnicmp, wcscat, strcpy, PsGetVersion, IofCompleteRequest, IoRegisterShutdownNotification, IoCreateDevice, toupper, towupper, wcsncpy, KeWaitForSingleObject, KeReleaseMutex, KeGetCurrentThread, KeClearEvent, KeReadStateEvent, KeSetEvent, KeInitializeEvent, PsTerminateSystemThread, PsCreateSystemThread, KeTickCount, KeQueryTimeIncrement, _aulldiv, KeSetTimer, KeCancelTimer, KeInitializeDpc, KeInitializeTimer, RtlTimeToSecondsSince1970, ExSystemTimeToLocalTime, KeQuerySystemTime, RtlSecondsSince1970ToTime, _alldiv, ExLocalTimeToSystemTime, memmove, wcslen, KeInitializeMutex, wcscpy, mbstowcs, wcstombs
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
( 79 exports )
__2@YAPAXI@Z, __3@YAXPAX@Z, CancelTimeout, ClearProfileCache, FileClose, FileCreateNew, FileCreateUnique, FileDelete, FileExists, FileGetDiskInfo, FileGetFlags, FileGetSize, FileOpen, FileRead, FileRename, FileSetFlags, FileSetPointer, FileSetSize, FileWrite, FreeTimeout, GetOsTypeAndVersion, GetPrivateProfileLong, GetPrivateProfileString, GetSystemProperty, GetTimer, InitializeTimeout, NotifyIfsStarted, PageAlloc, PageFree, QueueAlloc, QueueFree, QueueRead, QueueReadTimeout, QueueWrite, RegisterDriverNotifyInfo, ScheduleTimeout, SemAlloc, SemCheck, SemFree, SemLock, SemLockTimeout, SemUnlock, SetSystemProperty, StrMatch, ThreadActive, ThreadBeginPreemptive, ThreadBlock, ThreadBlockTimeout, ThreadCreateSystemContext, ThreadDestroySystemContext, ThreadEndPreemptive, ThreadGetProperty, ThreadIsCriticalWaiting, ThreadSetProperty, ThreadSleep, ThreadStart, ThreadSystemYield, ThreadUnblock, TimeBreakupUnix, TimeBuildUnix, TimeLocalUnix, TimeNtToUnix, TimeNtZoneBias, TimeUnixLocalToUct, TimeUnixToNt, TimeUnixUctToLocal, TimeUnixZoneBias, WcsMatch, WritePrivateProfileLong, WritePrivateProfileString, atol, free, ltoa, malloc, mbstowcs, memcmp, realloc, towupper, wcstombs
I'm still working on the list you provided and will post as I complete them. Thanks.
ComboFix 08-09-27.06 - Steve Froning 2008-09-28 22:49:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1255 [GMT -6:00]
Running from: C:\Documents and Settings\Steve Froning\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve Froning\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\lszsnwlk
C:\Program Files\tjocub
C:\Program Files\tjocub\DscWeb.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.
2008-09-28 22:21 . 2008-04-13 12:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-09-28 22:21 . 2008-04-13 12:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-09-28 22:19 . 1997-10-14 05:19 11,776 --a------ C:\WINDOWS\system32\pmsbfn32.dll
2008-09-28 22:19 . 2005-06-01 00:28 9,606 --a------ C:\WINDOWS\system32\NEWSOFT
2008-09-28 22:19 . 2008-09-28 22:20 264 --a------ C:\WINDOWS\setup.iss
2008-09-28 22:18 . 2008-09-28 22:18 <DIR> d-------- C:\WINDOWS\system32\Color
2008-09-28 22:18 . 2008-09-28 22:18 <DIR> d-------- C:\Program Files\NewSoft
2008-09-28 22:18 . 2008-09-28 22:18 <DIR> d-------- C:\Program Files\Common Files\NewSoft
2008-09-28 22:17 . 2008-09-28 22:17 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-09-28 22:17 . 2008-09-28 22:17 <DIR> d-------- C:\Documents and Settings\Steve Froning\Application Data\ScanSoft
2008-09-28 22:17 . 2008-09-28 22:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-09-28 22:17 . 2008-09-28 22:17 412 --a------ C:\WINDOWS\MAXLINK.INI
2008-09-28 22:16 . 2008-09-28 22:16 <DIR> d-------- C:\Program Files\ScanSoft
2008-09-28 22:14 . 2008-09-28 22:14 <DIR> d-------- C:\Program Files\Common Files\CANON
2008-09-28 22:10 . 2008-09-28 22:10 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-09-28 22:09 . 2008-09-28 22:09 <DIR> d--h----- C:\Program Files\CanonBJ
2008-09-28 22:08 . 2008-09-28 22:22 <DIR> d-------- C:\Program Files\Canon
2008-09-28 22:08 . 2007-05-14 09:49 362,496 --a------ C:\WINDOWS\system32\CNMNPPM.DLL
2008-09-28 22:08 . 2007-05-14 09:49 142,336 --a------ C:\WINDOWS\system32\CNMNPUI.DLL
2008-09-28 22:08 . 2007-03-19 18:14 117,850 --a------ C:\WINDOWS\system32\Cnmnput.chm
2008-09-18 22:25 . 2008-09-18 22:25 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLck.DAT
2008-09-18 22:00 . 2008-09-18 22:00 0 --a------ C:\WINDOWS\ViewNX.INI
2008-09-18 21:48 . 2008-09-18 22:25 <DIR> d-------- C:\Documents and Settings\Steve Froning\Application Data\Nikon
2008-09-18 21:47 . 2008-06-12 10:29 6,475,096 --a------ C:\WINDOWS\system32\NEFcodec.dll
2008-09-18 21:47 . 2008-01-10 10:16 200,704 -ra------ C:\WINDOWS\system32\Strato7.dll
2008-09-18 21:47 . 2008-01-10 10:51 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2008-09-18 21:47 . 2008-09-18 22:25 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLbx.DAT
2008-09-18 21:42 . 2008-09-18 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Radio Sounds
2008-09-18 21:42 . 2008-09-18 22:23 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-18 21:41 . 2008-09-18 21:53 <DIR> d-------- C:\Program Files\Common Files\Nikon
2008-09-18 21:41 . 2008-09-18 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nikon
2008-09-18 21:40 . 2008-09-18 21:47 <DIR> d-------- C:\Program Files\Nikon
2008-09-18 21:40 . 2008-09-18 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15
2008-09-18 21:40 . 2008-09-18 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Plug-Ins
2008-09-18 21:40 . 2008-09-18 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp
2008-09-18 21:40 . 2008-09-18 22:24 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-17 23:20 . 2008-09-17 23:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-17 23:20 . 2008-09-17 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-13 22:59 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-13 22:58 . 2008-09-13 22:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-13 22:58 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-13 22:22 . 2008-09-13 22:22 <DIR> d-------- C:\Documents and Settings\Steve Froning\Application Data\Talkback
2008-09-13 22:22 . 2008-09-13 22:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-13 22:00 . 2008-09-28 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-13 20:56 . 2008-09-13 20:56 <DIR> d-------- C:\Documents and Settings\Steve Froning\Application Data\RegFixPro
2008-09-13 20:43 . 2008-09-13 22:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-10 21:51 . 2008-09-10 21:52 <DIR> d-------- C:\Program Files\iTunes
2008-09-10 21:51 . 2008-09-10 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-10 21:50 . 2008-09-10 21:50 <DIR> d-------- C:\Program Files\Bonjour
2008-09-10 21:49 . 2008-09-10 21:50 <DIR> d-------- C:\Program Files\QuickTime
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-09-01 20:24 . 2004-08-04 04:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-01 15:58 . 2008-09-01 15:58 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-01 15:58 . 2008-09-01 15:58 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-01 15:58 . 2008-09-01 15:58 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-01 15:57 . 2008-09-01 15:57 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-01 15:56 . 2008-09-01 15:56 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 04:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-18 05:40 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-14 04:37 --------- d-----w C:\Program Files\Full Tilt Poker
2008-09-14 04:34 --------- d-----w C:\Program Files\Google
2008-09-11 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-11 03:51 --------- d-----w C:\Program Files\iPod
2008-09-11 03:49 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-24 23:43 --------- d-----w C:\Program Files\Java
2008-08-24 23:36 --------- d-----w C:\Program Files\Apple Software Update
2008-08-24 19:16 --------- d-----w C:\Documents and Settings\Steve Froning\Application Data\Malwarebytes
2008-08-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 04:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 04:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-27_12.24.21.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-07-27 23:48:52 323,584 ----a-w C:\WINDOWS\Downloaded Program Files\isusweb.dll
+ 2005-02-16 22:15:20 401,408 ----a-w C:\WINDOWS\Downloaded Program Files\isusweb.dll
+ 2008-09-29 04:17:30 7,406 ----a-r C:\WINDOWS\Installer\{FE893E2C-11B4-47CB-88F6-6647D90C6A13}\ARPPRODUCTICON.exe
+ 2008-09-29 04:17:30 49,152 ----a-r C:\WINDOWS\Installer\{FE893E2C-11B4-47CB-88F6-6647D90C6A13}\NewShortcut14_27BC537B086D42E19CB39D115FA043BF.exe
+ 2008-09-29 04:17:30 450,560 ----a-r C:\WINDOWS\Installer\{FE893E2C-11B4-47CB-88F6-6647D90C6A13}\NewShortcut15_27BC537B086D42E19CB39D115FA043BF.exe
+ 2008-09-29 04:17:30 65,536 ----a-r C:\WINDOWS\Installer\{FE893E2C-11B4-47CB-88F6-6647D90C6A13}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
+ 2007-09-13 13:05:26 755,032 ----a-r C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX850_series\DelDrv.exe
+ 2007-09-13 12:16:02 49,152 ----a-r C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX850_series\RES\DLL\IJInstJP.dll
+ 2007-09-13 12:16:01 57,344 ----a-r C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX850_series\RES\DLL\IJInstUS.dll
+ 2007-09-20 16:29:02 1,339,392 ----a-w C:\WINDOWS\system32\CNC850C.DLL
+ 2007-09-20 16:28:42 98,304 ----a-w C:\WINDOWS\system32\CNC850I.DLL
+ 2007-10-26 08:54:01 204,800 ----a-w C:\WINDOWS\system32\CNC850L.DLL
+ 2007-03-15 14:12:00 188,416 ----a-w C:\WINDOWS\system32\CNC850O.DLL
+ 2007-10-03 10:10:02 156,160 ----a-w C:\WINDOWS\system32\CNCF2Lf.DLL
+ 2007-10-03 10:06:02 3,072 ----a-w C:\WINDOWS\system32\CNCFLfJP.DLL
+ 2007-10-03 10:06:00 3,584 ----a-w C:\WINDOWS\system32\CNCFLfUS.DLL
+ 2007-10-03 10:10:42 106,496 ----a-w C:\WINDOWS\system32\CNCFMSf.EXE
+ 2007-10-29 05:00:00 223,744 ----a-w C:\WINDOWS\system32\CNMLM98.DLL
+ 2007-10-03 10:11:54 98,304 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCAABf.EXE
+ 2007-10-03 10:13:52 561,152 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCAAIf.DLL
+ 2007-10-03 10:15:10 278,528 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCAMGf.DLL
+ 2007-10-03 10:11:52 512,000 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCAPFf.EXE
+ 2007-10-03 10:11:08 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCAWSf.DLL
+ 2007-10-03 10:09:50 40,448 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCF2Gf.dll
+ 2007-10-03 10:09:50 28,672 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCF2Mf.DLL
+ 2007-10-03 10:09:50 46,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCF2Uf.dll
+ 2007-10-03 10:06:00 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCFCfJP.DLL
+ 2007-10-03 10:05:58 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCFCfUS.DLL
+ 2007-10-03 10:11:36 524,288 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCFDLf.DLL
+ 2007-10-03 10:10:38 139,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNCFIMf.DLL
+ 2007-10-29 05:00:00 11,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMBM98.DLL
+ 2007-10-29 05:00:00 33,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMBS98.DLL
+ 2007-10-29 05:00:00 11,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMBU98.DLL
+ 2007-10-29 05:00:00 1,600,000 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCB98.DLL
+ 2007-10-29 05:00:00 102,912 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCP98.DLL
+ 2007-10-29 05:00:00 224,256 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMD598.DLL
+ 2007-10-29 05:00:00 551,936 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMDR98.DLL
+ 2007-10-29 05:00:00 24,064 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMEI98.DLL
+ 2007-10-29 05:00:00 10,240 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMFU98.DLL
+ 2007-10-29 05:00:00 9,216 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMLH98.DLL
+ 2007-10-29 05:00:00 156,672 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMLR98.DLL
+ 2007-10-29 05:00:00 25,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMOP98.DLL
+ 2007-10-29 00:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP098.DAT
+ 2007-10-29 00:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP198.DAT
+ 2007-10-29 00:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP298.DAT
+ 2007-10-29 05:00:00 12,288 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPI98.DLL
+ 2007-10-29 05:00:00 102,912 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPV98.DLL
+ 2007-10-29 05:00:00 1,144,832 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSB98.DLL
+ 2007-10-29 05:00:00 47,616 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSD98.DLL
+ 2007-10-29 08:07:50 17,232 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSE98.EXE
+ 2007-10-29 05:00:00 440,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSM98.DLL
+ 2007-10-29 05:00:00 44,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSQ98.DLL
+ 2007-10-29 05:00:00 77,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSR98.DLL
+ 2007-10-29 05:00:00 642,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUB98.DLL
+ 2007-10-29 05:00:00 2,591,744 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUI98.DLL
+ 2007-10-29 05:00:00 378,368 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUR98.DLL
+ 2007-10-29 05:00:00 13,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMVS98.DLL
+ 2007-10-29 08:12:11 47,440 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMVS98.EXE
+ 2007-10-29 05:00:00 11,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMW398.DLL
+ 2005-09-16 20:40:32 114,688 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\FIOALL32.DLL
+ 2006-05-22 23:50:16 221,184 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\FioJpg32.dll
+ 2005-11-25 00:12:04 262,144 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\FIOTIF32.DLL
+ 2006-09-08 21:28:34 28,672 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HidHk.dll
+ 2005-09-16 21:01:48 159,744 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\Ism.dll
+ 2005-09-16 20:40:50 86,016 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\JPEGLIB.DLL
+ 2006-09-26 15:40:34 32,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\NsPdfMdl.dll
+ 2006-07-28 00:53:16 18,944 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\NSUI.dll
+ 2006-11-07 21:11:10 25,600 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\NSUNI.dll
+ 2006-06-02 23:00:16 557,056 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\pdflib.dll
+ 2006-09-26 02:04:34 53,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PDFWrtDrv.dll
+ 2004-11-18 15:08:08 172,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UciG3432.dll
+ 2004-11-18 15:08:08 151,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UCIJPG32.DLL
+ 2006-09-20 14:35:26 20,480 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
+ 2006-10-30 22:59:34 24,576 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
+ 2007-10-03 10:11:54 98,304 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCAABf.EXE
+ 2007-10-03 10:13:52 561,152 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCAAIf.DLL
+ 2007-10-03 10:15:10 278,528 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCAMGf.DLL
+ 2007-10-03 10:11:52 512,000 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCAPFf.EXE
+ 2007-10-03 10:11:08 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCAWSf.DLL
+ 2007-10-03 10:09:50 40,448 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCF2Gf.DLL
+ 2007-10-03 10:09:50 28,672 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCF2Mf.DLL
+ 2007-10-03 10:09:50 46,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCF2Uf.DLL
+ 2007-10-03 10:06:00 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCFCfJP.DLL
+ 2007-10-03 10:05:58 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCFCfUS.DLL
+ 2007-10-03 10:11:36 524,288 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCFDLf.DLL
+ 2007-10-03 10:10:38 139,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_series_fa6f03\CNCFIMf.DLL
+ 2007-10-29 05:00:00 11,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMBM98.DLL
+ 2007-10-29 05:00:00 33,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMBS98.DLL
+ 2007-10-29 05:00:00 11,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMBU98.DLL
+ 2007-10-29 05:00:00 1,600,000 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMCB98.DLL
+ 2007-10-29 05:00:00 102,912 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMCP98.DLL
+ 2007-10-29 05:00:00 224,256 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMD598.DLL
+ 2007-10-29 05:00:00 551,936 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMDR98.DLL
+ 2007-10-29 05:00:00 24,064 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMEI98.DLL
+ 2007-10-29 05:00:00 10,240 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMFU98.DLL
+ 2007-10-29 05:00:00 9,216 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMLH98.DLL
+ 2007-10-29 05:00:00 156,672 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMLR98.DLL
+ 2007-10-29 05:00:00 25,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMOP98.DLL
+ 2007-10-29 00:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMP098.DAT
+ 2007-10-29 00:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMP198.DAT
+ 2007-10-29 00:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMP298.DAT
+ 2007-10-29 05:00:00 12,288 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMPI98.DLL
+ 2007-10-29 05:00:00 102,912 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMPV98.DLL
+ 2007-10-29 05:00:00 1,144,832 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMSB98.DLL
+ 2007-10-29 05:00:00 47,616 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMSD98.DLL
+ 2007-10-29 08:07:50 17,232 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMSE98.EXE
+ 2007-10-29 05:00:00 440,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMSM98.DLL
+ 2007-10-29 05:00:00 44,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMSQ98.DLL
+ 2007-10-29 05:00:00 77,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMSR98.DLL
+ 2007-10-29 05:00:00 642,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMUB98.DLL
+ 2007-10-29 05:00:00 2,591,744 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMUI98.DLL
+ 2007-10-29 05:00:00 378,368 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMUR98.DLL
+ 2007-10-29 05:00:00 13,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMVS98.DLL
+ 2007-10-29 08:12:11 47,440 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMVS98.EXE
+ 2007-10-29 05:00:00 11,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmx850_seriesd6d6\CNMW398.DLL
+ 2007-10-29 05:00:00 27,136 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD98.DLL
+ 2007-10-29 05:00:00 69,632 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP98.DLL
+ 2006-11-29 14:39:52 73,728 ----a-w C:\WINDOWS\twain_32\MX850 series\AG.DLL
+ 2005-04-15 15:34:36 57,344 ----a-w C:\WINDOWS\twain_32\MX850 series\BaLCo.dll
+ 2007-06-05 17:15:00 86,016 ----a-w C:\WINDOWS\twain_32\MX850 series\CAPS.DLL
+ 2005-08-24 15:51:00 126,976 ----a-w C:\WINDOWS\twain_32\MX850 series\CFine2.dll
+ 2007-07-09 14:23:12 3,724,256 ----a-w C:\WINDOWS\twain_32\MX850 series\CNC850.DAT
+ 2007-06-05 09:59:16 49,224 ----a-w C:\WINDOWS\twain_32\MX850 series\CNC850P.DAT
+ 2007-03-19 14:06:36 143,360 ----a-w C:\WINDOWS\twain_32\MX850 series\CUBS.DLL
+ 2006-04-13 15:43:30 53,248 ----a-w C:\WINDOWS\twain_32\MX850 series\HSL.DLL
+ 2007-05-15 20:26:36 77,824 ----a-w C:\WINDOWS\twain_32\MX850 series\IJFSHLIB.DLL
+ 2007-09-18 11:55:20 184,320 ----a-w C:\WINDOWS\twain_32\MX850 series\IOP.DLL
+ 2007-09-03 16:43:00 38,757 ----a-w C:\WINDOWS\twain_32\MX850 series\IPM.DAT
+ 2007-09-18 11:53:54 135,168 ----a-w C:\WINDOWS\twain_32\MX850 series\IPM.DLL
+ 2004-08-26 17:07:00 114,688 ----a-w C:\WINDOWS\twain_32\MX850 series\ITLIB32.DLL
+ 2007-07-12 14:40:59 98,304 ----a-w C:\WINDOWS\twain_32\MX850 series\JPRCV.dll
+ 2004-06-07 12:58:04 290,816 ----a-w C:\WINDOWS\twain_32\MX850 series\libBLC.dll
+ 2006-12-13 11:28:04 122,880 ----a-w C:\WINDOWS\twain_32\MX850 series\MC2.DLL
+ 2006-01-12 14:22:00 73,728 ----a-w C:\WINDOWS\twain_32\MX850 series\RSTCOL.DLL
+ 2007-09-18 11:54:56 147,456 ----a-w C:\WINDOWS\twain_32\MX850 series\SCANINTF.DLL
+ 2005-02-02 18:34:44 118,784 ----a-w C:\WINDOWS\twain_32\MX850 series\SCRPRMV.DLL
+ 2006-12-01 09:24:10 1,159,168 ----a-w C:\WINDOWS\twain_32\MX850 series\SGCFLTR.DLL
+ 2007-09-18 11:53:58 1,015,808 ----a-w C:\WINDOWS\twain_32\MX850 series\SGRES_JP.DLL
+ 2007-09-18 11:53:54 1,040,384 ----a-w C:\WINDOWS\twain_32\MX850 series\SGRES_US.DLL
+ 2007-09-18 11:59:44 1,175,552 ----a-w C:\WINDOWS\twain_32\MX850 series\SGUI.DLL
+ 2006-11-06 16:13:26 98,304 ----a-w C:\WINDOWS\twain_32\MX850 series\softfare.dll
+ 2007-09-18 11:57:10 524,288 ----a-w C:\WINDOWS\twain_32\MX850 series\TPM.DLL
+ 2007-01-26 15:44:36 4,096 ----a-w C:\WINDOWS\twain_32\MX850 series\USDRESJP.DLL
+ 2007-01-26 15:44:38 4,608 ----a-w C:\WINDOWS\twain_32\MX850 series\USDRESUS.DLL
+ 2007-02-06 21:00:05 258,048 ----a-w C:\WINDOWS\twain_32\MX850 series\USIP.DLL
+ 2008-09-29 04:17:27 1,230,336 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-28 8429568]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 1392640]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-25 159744]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"PDVDDXSrv"="d:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="D:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2005-06-13 192512]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 406016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-29 185896]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-13 1603152]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-06-13 73728]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"nwiz"="nwiz.exe" [2007-04-28 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-04-28 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-04-28 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 C:\WINDOWS\stsystra.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
C:\Documents and Settings\Steve Froning\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-11 2150400]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2007-10-07 49220]
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-06-05 479232]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"D:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"D:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"D:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"D:\\Program Files\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R2 r_server;Remote Administrator Service;C:\WINDOWS\system32\r_server.exe [2005-06-21 724992]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-RunOnce-RunCanonMsetUp - C:\DOCUME~1\STEVEF~1\LOCALS~1\Temp\MasterReboot\CANON_IJ\MCDCHK2.EXE
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 22:49:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-28 22:50:29
ComboFix-quarantined-files.txt 2008-09-29 04:50:21
ComboFix2.txt 2008-09-27 18:24:33
Pre-Run: 2,350,411,776 bytes free
Post-Run: 2,383,482,880 bytes free
342 --- E O F --- 2008-09-24 03:54:32
I ran the AFT Cleaner and emptied folders. Also ran Kaspery and HJT, logs are below:
Logfile of HijackThis v1.99.1
Scan saved at 7:09:48 AM, on 9/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Apoint\Apntex.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Apoint\HidFind.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\r_server.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "d:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 29, 2008 05:00:34
Records in database: 1271386
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 75815
Threat name: 5
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 01:00:41
File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480000.VBN Infected: Trojan-Downloader.Win32.Agent.ablq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480001.VBN Infected: Trojan-Mailfinder.Win32.Agent.rj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480002.VBN Infected: Trojan-Dropper.Win32.Agent.vsl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480003.VBN Infected: Trojan-Dropper.Win32.Agent.vsl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480005.VBN Infected: Trojan-Downloader.Win32.Agent.ablq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480007.VBN Infected: Trojan-Downloader.Win32.Agent.ablq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480009.VBN Infected: Trojan-Downloader.Win32.Agent.ablq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0148000C.VBN Infected: Trojan-Downloader.Win32.Small.abkn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08500000.VBN Infected: Trojan-Dropper.Win32.Agent.vsl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08E00000.VBN Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08E00001.VBN Infected: Trojan-Mailfinder.Win32.Agent.rj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E240000.VBN Infected: Trojan-Downloader.Win32.Agent.ablq 1
The selected area was scanned.
I did not run Firefox or Opera, since I ran the AFT Cleaner. If this was incorrect please let me know and I will download and run those as well.
Thanks again for all your help.
Hi
Delete items in C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine folder but don't delete the folder itself.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one if you don't have a 3rd party firewall.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Everything appears to be working normally. I did all of the steps you recommended.
The only thing I didn't do was delete the Symantec quarantine files...I couldn't find the files or folder. I'm not sure why that would be... I even went through the Symantec user interface to check to see if it showed the files in it's quarantine folder, but it was blank as well. If you think this is of concern, please let me know.
Otherwise, thank you for all your help. I would not have been able to do these things on my own.
If you are ever in Denver, CO let me know. I owe you a drink. :)
You're welcome :)
Let's see if we can find the quarantine items
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Delete items in C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine folder (not the folder itself).
That should take care of quarantine items. We need to re hide system files now. To do so, please follow the steps below:
Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.
Put a check by
Hide file extensions for known file types.
Under the
Hidden files
folder, select
Show hidden files and folders.
Check
Hide protected operating system files.
Click Apply, and then click OK.
Followed the steps and deleted the files. Thanks (again).
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.