PDA

View Full Version : HELP! Another Virtumonde victim...


chicagokeith
2008-09-26, 21:25
H E L P !

My brother's friend was on my PC, and now I'm bit. Spybot S&D tells me I am infected with Virtumonde. I will never let anyone else on my PC! ... this is so frustrating.

I have read some of the threads about Virtumonde here, and I think I've done all the initial steps. Your help is very much appreciated.

When I start up in safe mode, I have the option to hit ESC to prevent SPTD.SYS from loading - I have now been doing this, but i am not sure what SPTD does.

I have run S&D in safe mode many times, but Virtumonde keeps returning every time re-run S&D.

While running Spybot S&D I see what looks like a command prompt window briefly open on its own, but closes on its own almost immediately.

I can start up OK, but When I go to shutdown my PC I get a bluescreen.



Here is my Hijackthis Logfile:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:10 PM, on 9/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office Pro 2003\OFFICE11\WINWORD.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Documents and Settings\Keith\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI31D0~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://liuhaihong2.blog.163.com
O15 - Trusted Zone: http://www.mcmaster.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {13EC470D-6583-42A3-B07D-648F70BC5CA0} (ProtoView Class) - http://extranet.protomold.net/ProtoView/current/setup.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://chil.solidworks.com/htdocs/pdownload/edrawings/e2008sp02/cab/eModelsStandard.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485616984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.quickparts.com/java/XUpload.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\DETERM~1\DETERM~1\lib\CVE-2006-1359.dll,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\SYSTEM32\winkve32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 12165 bytes
pskelley
2008-09-27, 14:41
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

1) Appears the directions were not read because HJT is unsafely located? Follow these directions to fix that:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until you need it later.

2) Please be sure Spybot S&D is up to date and fully immunized.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html

3) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

4) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
chicagokeith
2008-09-29, 00:37
Thanks PSKELLY,

OK...
I installed HJT
I updated and immunized S&D
TeaTimer is disabled
my PC is now offline
the Recovery Console is installed
a System Restore Point has been created

ComboFix ran and automatically rebooted my machine
when my machine shuts-down I get a blue-screen C000021a {Fatal System Error}, so I manually shut down and restarted machine.
After I restarted, the "Find3M" window was still up and running.
After about 1.5 hours it finished and I have the following log files:


ComboFix 08-09-27.05 - Keith 2008-09-28 14:47:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1374 [GMT -5:00]
Running from: C:\Documents and Settings\Keith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Keith\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Keith\Cookies\keith@ehg.fedex[1].txt
C:\Documents and Settings\Keith\Cookies\keith@insightexpressai[1].txt
C:\Documents and Settings\Keith\Cookies\keith@nextag[2].txt
C:\Documents and Settings\Keith\Cookies\keith@revsci[2].txt
C:\Documents and Settings\Keith\Cookies\keith@www.webschwab[2].txt
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\winkve32.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-28 13:56 . 2008-09-28 13:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 11:27 . 2008-09-16 11:28 <DIR> d-------- C:\Program Files\iTunes
2008-09-16 11:27 . 2008-09-16 11:27 <DIR> d-------- C:\Program Files\iPod
2008-09-16 11:27 . 2008-09-16 11:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-16 11:25 . 2008-09-16 11:25 <DIR> d-------- C:\Program Files\QuickTime
2008-09-12 09:46 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-12 09:46 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-12 09:46 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-12 09:46 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-12 09:40 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-12 00:57 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-09-08 17:05 . 2008-09-08 17:05 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-08 17:04 . 2008-09-08 17:04 <DIR> d-------- C:\Program Files\Safari
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 19:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-26 21:28 --------- d-----w C:\Program Files\Plaxo
2008-09-26 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-26 14:49 --------- d-----w C:\Documents and Settings\Keith\Application Data\SolidWorks
2008-09-25 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-25 20:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-17 16:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-16 16:25 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-16 16:08 --------- d-----w C:\Program Files\Bonjour
2008-09-08 22:11 --------- d-----w C:\Documents and Settings\Keith\Application Data\Apple Computer
2008-09-05 22:43 --------- d-----w C:\Program Files\Folder Lock
2008-08-19 16:03 --------- d-----w C:\Program Files\SolidWorks (2)
2008-08-18 22:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-18 22:21 --------- d-----w C:\Program Files\PalmOne
2008-08-18 22:16 --------- d-----w C:\Program Files\Nero
2008-08-18 22:16 --------- d-----w C:\Documents and Settings\Keith\Application Data\Ahead
2008-08-18 22:15 --------- d-----w C:\Program Files\MediaMonkey
2008-08-14 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-14 15:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-08-08 20:38 --------- d-----w C:\Documents and Settings\Keith\Application Data\sldIM
2008-08-06 18:09 --------- d-----w C:\Program Files\Norton Internet Security
2008-08-01 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolidWorks Templates
2008-07-30 22:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 22:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 22:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-05-22 16:14 3,743 ----a-w C:\Documents and Settings\Keith\Fire claim.zip
2006-06-06 14:43 32,768 ----a-w C:\Documents and Settings\Keith\Application Data\rndcinscheck.dll
2003-09-12 05:06 24,576 ----a-w C:\Program Files\xp_taskmgrenab.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-09 53248]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 7204864]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-04 86016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 C:\WINDOWS\stsystra.exe]
"nwiz"="nwiz.exe" [2005-11-04 C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-05-05 33952]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CHECKI~1\BCMNTIO.sys [2004-03-05 3744]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CHECKI~1\MAPMEM.sys [2004-03-05 3904]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-10-12 71096]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
Notify-winkve32 - winkve32.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\ut0fmt69.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://news.google.com/nwshp?client=firefox-a&rls=org.mozilla:en-US:official&hl=en&tab=wn
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 15:08:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\Keith\LOCALS~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\Keith\LOCALS~1\Temp\catchme.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-28 16:14:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-28 21:14:43

Pre-Run: 71,004,672,000 bytes free
Post-Run: 70,888,329,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

186 --- E O F --- 2008-09-16 08:00:58


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:28 PM, on 9/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI31D0~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://liuhaihong2.blog.163.com
O15 - Trusted Zone: http://www.mcmaster.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {13EC470D-6583-42A3-B07D-648F70BC5CA0} (ProtoView Class) - http://extranet.protomold.net/ProtoView/current/setup.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://chil.solidworks.com/htdocs/pdownload/edrawings/e2008sp02/cab/eModelsStandard.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485616984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.quickparts.com/java/XUpload.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11061 bytes



Thanks!
pskelley
2008-09-29, 00:56
Thanks for returning your information and the feedback, this is the item combofix removed:
C:\WINDOWS\system32\winkve32.dll
http://www.google.com/search?hl=en&q=winkve32.dll&btnG=Search

Let's do some cleaning and have MBAM take a second look for us, follow the numbered order.

1) C:\Program Files\Java\jre1.6.0_03\ <<< update Java, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
(if you are positive the next two are safe, you may leave them)
O15 - Trusted Zone: http://liuhaihong2.blog.163.com
O15 - Trusted Zone: http://www.mcmaster.com

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

How is the computer running?

Thanks...Phil
chicagokeith
2008-09-30, 21:43
Thanks Phil,

I removed all old Java installs, and installed the latest rev.
TT reset.
4 lines removed using HJT (the other 2 are OK).
Ran ATF.
Cleaned Prefetch. PC seams a little sluggish right now, but the tutorial says this is expected.

Downloaded MBAM, but every time I try to run MBAM it hangs (display looks frozen except for mouse movement, keyboard and mouse clicks do nothing, CTRL-ALT-DEL does not bring up task manager). I have to restart PC to get back up. I removed and reinstalled MBAM, but same result. Originally I tried running it with Norton running, but then I turned off Norton - same result.

Everything else seams OK now.

Here are my log files...


ComboFix 08-09-28.05 - Keith 2008-09-30 11:55:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1343 [GMT -5:00]
Running from: C:\Documents and Settings\Keith\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-30 09:40 . 2008-09-30 09:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-30 09:40 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-30 09:40 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-29 09:53 . 2008-09-29 09:53 <DIR> d-------- C:\Documents and Settings\Keith\Application Data\Malwarebytes
2008-09-29 09:53 . 2008-09-29 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-29 09:37 . 2008-09-29 09:37 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-09-29 09:37 . 2008-09-29 09:37 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-28 13:56 . 2008-09-28 13:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 11:27 . 2008-09-16 11:28 <DIR> d-------- C:\Program Files\iTunes
2008-09-16 11:27 . 2008-09-16 11:27 <DIR> d-------- C:\Program Files\iPod
2008-09-16 11:27 . 2008-09-16 11:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-16 11:25 . 2008-09-16 11:25 <DIR> d-------- C:\Program Files\QuickTime
2008-09-12 09:46 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-12 09:46 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-12 09:46 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-12 09:46 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-12 09:40 . 2008-09-12 09:46 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-12 00:57 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-09-08 17:05 . 2008-09-08 17:05 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-08 17:04 . 2008-09-08 17:04 <DIR> d-------- C:\Program Files\Safari
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll
2008-08-26 09:15 . 2008-08-26 09:15 244 --ah----- C:\sqmnoopt04.sqm
2008-08-26 09:15 . 2008-08-26 09:15 232 --ah----- C:\sqmdata04.sqm
2008-08-25 16:44 . 2008-08-25 16:44 244 --ah----- C:\sqmnoopt03.sqm
2008-08-25 16:44 . 2008-08-25 16:44 232 --ah----- C:\sqmdata03.sqm
2008-08-25 14:35 . 2008-08-25 14:35 244 --ah----- C:\sqmnoopt02.sqm
2008-08-25 14:35 . 2008-08-25 14:35 232 --ah----- C:\sqmdata02.sqm
2008-08-18 17:35 . 2008-08-18 17:35 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-08-14 13:55 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 13:53 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 11:05 . 2008-08-14 11:07 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-14 10:02 . 2008-07-22 20:32 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-08-14 10:01 . 2008-09-16 11:25 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-14 09:41 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-14 09:41 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-14 09:40 . 2008-04-13 13:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-08 12:15 . 2008-08-08 12:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-08 12:15 . 2008-08-08 12:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-01 10:35 . 2008-08-01 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SolidWorks Templates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 16:19 --------- d-----w C:\Program Files\Plaxo
2008-09-30 16:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-29 21:17 --------- d-----w C:\Program Files\ACD Systems
2008-09-29 21:11 --------- d-----w C:\Documents and Settings\Keith\Application Data\Lavasoft
2008-09-29 18:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-29 14:37 --------- d-----w C:\Program Files\Java
2008-09-29 14:25 --------- d-----w C:\Program Files\PalmOne
2008-09-29 14:24 --------- d-----w C:\Program Files\Google
2008-09-26 14:49 --------- d-----w C:\Documents and Settings\Keith\Application Data\SolidWorks
2008-09-25 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-25 20:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-17 16:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-16 16:08 --------- d-----w C:\Program Files\Bonjour
2008-09-08 22:11 --------- d-----w C:\Documents and Settings\Keith\Application Data\Apple Computer
2008-09-05 22:43 --------- d-----w C:\Program Files\Folder Lock
2008-08-19 16:03 --------- d-----w C:\Program Files\SolidWorks (2)
2008-08-18 22:16 --------- d-----w C:\Program Files\Nero
2008-08-18 22:16 --------- d-----w C:\Documents and Settings\Keith\Application Data\Ahead
2008-08-18 22:15 --------- d-----w C:\Program Files\MediaMonkey
2008-08-14 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-08 20:38 --------- d-----w C:\Documents and Settings\Keith\Application Data\sldIM
2008-08-06 18:09 --------- d-----w C:\Program Files\Norton Internet Security
2008-07-30 22:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 22:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 22:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 23:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 15:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 14:06 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-22 16:14 3,743 ----a-w C:\Documents and Settings\Keith\Fire claim.zip
2006-06-06 14:43 32,768 ----a-w C:\Documents and Settings\Keith\Application Data\rndcinscheck.dll
2003-09-12 05:06 24,576 ----a-w C:\Program Files\xp_taskmgrenab.exe
.

((((((((((((((((((((((((((((( snapshot@2008-09-28_16.14.12.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-02-03 18:58:30 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\ACDSee_Dsktp_Shtcut.exe
+ 2008-09-29 21:17:13 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\ACDSee_Dsktp_Shtcut.exe
- 2006-02-03 18:58:30 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\ACDSee_PM_Shtcut.exe
+ 2008-09-29 21:17:13 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\ACDSee_PM_Shtcut.exe
- 2006-02-03 18:58:30 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\ARPPRODUCTICON.exe
+ 2008-09-29 21:17:13 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\ARPPRODUCTICON.exe
- 2006-02-03 18:58:30 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\FotoCanvasLite_Dsktp_Shtcut.exe
+ 2008-09-29 21:17:13 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\FotoCanvasLite_Dsktp_Shtcut.exe
- 2006-02-03 18:58:30 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\FotoCanvasLite_PM_Shtcut.exe
+ 2008-09-29 21:17:13 4,710 ----a-r C:\WINDOWS\Installer\{92605735-AAFB-47F7-A67D-17ED129EFF9C}\FotoCanvasLite_PM_Shtcut.exe
- 2001-09-17 15:48:30 167,936 ----a-r C:\WINDOWS\system32\czs_ui.dll
+ 2001-09-17 14:48:30 167,936 ----a-r C:\WINDOWS\system32\czs_ui.dll
- 2001-09-17 15:49:20 573,440 ----a-r C:\WINDOWS\system32\dbsock.dll
+ 2001-09-17 14:49:20 573,440 ----a-r C:\WINDOWS\system32\dbsock.dll
- 2001-09-17 15:48:52 45,568 ----a-r C:\WINDOWS\system32\DC210.dll
+ 2001-09-17 14:48:52 45,568 ----a-r C:\WINDOWS\system32\DC210.dll
- 2001-09-17 15:48:52 114,688 ----a-r C:\WINDOWS\system32\DC240.dll
+ 2001-09-17 14:48:52 114,688 ----a-r C:\WINDOWS\system32\DC240.dll
- 2001-09-17 15:48:52 230,400 ----a-r C:\WINDOWS\system32\DC265.dll
+ 2001-09-17 14:48:52 230,400 ----a-r C:\WINDOWS\system32\DC265.dll
- 2001-09-17 15:48:52 122,880 ----a-r C:\WINDOWS\system32\DC280.dll
+ 2001-09-17 14:48:52 122,880 ----a-r C:\WINDOWS\system32\DC280.dll
- 2001-09-17 15:48:30 168,960 ----a-r C:\WINDOWS\system32\deimg.dll
+ 2001-09-17 14:48:30 168,960 ----a-r C:\WINDOWS\system32\deimg.dll
- 2001-09-17 15:48:30 212,992 ----a-r C:\WINDOWS\system32\deImg010.dll
+ 2001-09-17 14:48:30 212,992 ----a-r C:\WINDOWS\system32\deImg010.dll
- 2001-09-17 15:48:30 161,280 ----a-r C:\WINDOWS\system32\deimg301.dll
+ 2001-09-17 14:48:30 161,280 ----a-r C:\WINDOWS\system32\deimg301.dll
- 2001-09-17 15:48:32 161,792 ----a-r C:\WINDOWS\system32\deimg401.dll
+ 2001-09-17 14:48:32 161,792 ----a-r C:\WINDOWS\system32\deimg401.dll
- 2001-09-17 15:48:32 360,448 ----a-r C:\WINDOWS\system32\deImg404.dll
+ 2001-09-17 14:48:32 360,448 ----a-r C:\WINDOWS\system32\deImg404.dll
- 2001-09-17 15:48:32 162,816 ----a-r C:\WINDOWS\system32\deimg602.dll
+ 2001-09-17 14:48:32 162,816 ----a-r C:\WINDOWS\system32\deimg602.dll
- 2001-09-17 15:48:32 167,936 ----a-r C:\WINDOWS\system32\Deimg603.dll
+ 2001-09-17 14:48:32 167,936 ----a-r C:\WINDOWS\system32\Deimg603.dll
- 2001-09-17 15:48:52 6,688 ----a-r C:\WINDOWS\system32\Digita.sys
+ 2001-09-17 14:48:52 6,688 ----a-r C:\WINDOWS\system32\Digita.sys
- 2001-09-17 15:48:52 44,544 ----a-r C:\WINDOWS\system32\ekfpixaudio.dll
+ 2001-09-17 14:48:52 44,544 ----a-r C:\WINDOWS\system32\ekfpixaudio.dll
- 2001-09-17 15:48:52 138,240 ----a-r C:\WINDOWS\system32\ekfpixexif.dll
+ 2001-09-17 14:48:52 138,240 ----a-r C:\WINDOWS\system32\ekfpixexif.dll
- 2001-09-17 15:48:52 4,096 ----a-r C:\WINDOWS\system32\ekfpixguid.dll
+ 2001-09-17 14:48:52 4,096 ----a-r C:\WINDOWS\system32\ekfpixguid.dll
- 2001-09-17 15:48:52 449,536 ----a-r C:\WINDOWS\system32\ekfpixio130.dll
+ 2001-09-17 14:48:52 449,536 ----a-r C:\WINDOWS\system32\ekfpixio130.dll
- 2001-09-17 15:48:52 100,352 ----a-r C:\WINDOWS\system32\ekfpixjpeg.dll
+ 2001-09-17 14:48:52 100,352 ----a-r C:\WINDOWS\system32\ekfpixjpeg.dll
- 2001-09-17 15:48:52 67,584 ----a-r C:\WINDOWS\system32\ekfpixpsets.dll
+ 2001-09-17 14:48:52 67,584 ----a-r C:\WINDOWS\system32\ekfpixpsets.dll
- 2001-09-17 15:48:52 36,864 ----a-r C:\WINDOWS\system32\F210.dll
+ 2001-09-17 14:48:52 36,864 ----a-r C:\WINDOWS\system32\F210.dll
- 2001-09-21 11:59:38 94,208 ----a-w C:\WINDOWS\system32\InTouchCOMClient.dll
+ 2001-09-21 10:59:38 94,208 ----a-w C:\WINDOWS\system32\InTouchCOMClient.dll
- 2001-09-21 12:00:38 40,960 ----a-w C:\WINDOWS\system32\InTouchViewer.dll
+ 2001-09-21 11:00:38 40,960 ----a-w C:\WINDOWS\system32\InTouchViewer.dll
- 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-09-29 14:37:34 144,792 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-09-29 14:37:34 144,792 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-09-29 14:37:34 148,888 ----a-w C:\WINDOWS\system32\javaws.exe
- 2001-09-17 15:48:26 19,968 ----a-r C:\WINDOWS\system32\JGA1500.DLL
+ 2001-09-17 14:48:26 19,968 ----a-r C:\WINDOWS\system32\JGA1500.DLL
- 2001-09-17 15:48:26 10,752 ----a-r C:\WINDOWS\system32\JGAA500.DLL
+ 2001-09-17 14:48:26 10,752 ----a-r C:\WINDOWS\system32\JGAA500.DLL
- 2001-09-17 15:48:26 16,896 ----a-r C:\WINDOWS\system32\JGAD500.DLL
+ 2001-09-17 14:48:26 16,896 ----a-r C:\WINDOWS\system32\JGAD500.DLL
- 2001-09-17 15:48:26 9,216 ----a-r C:\WINDOWS\system32\JGAP500.DLL
+ 2001-09-17 14:48:26 9,216 ----a-r C:\WINDOWS\system32\JGAP500.DLL
- 2001-09-17 15:48:26 11,264 ----a-r C:\WINDOWS\system32\JGAR500.DLL
+ 2001-09-17 14:48:26 11,264 ----a-r C:\WINDOWS\system32\JGAR500.DLL
- 2001-09-17 15:48:26 31,744 ----a-r C:\WINDOWS\system32\JGAU500.DLL
+ 2001-09-17 14:48:26 31,744 ----a-r C:\WINDOWS\system32\JGAU500.DLL
- 2001-09-17 15:48:26 6,144 ----a-r C:\WINDOWS\system32\JGDR500.DLL
+ 2001-09-17 14:48:26 6,144 ----a-r C:\WINDOWS\system32\JGDR500.DLL
- 2001-09-17 15:48:26 144,896 ----a-r C:\WINDOWS\system32\JGDW500.DLL
+ 2001-09-17 14:48:26 144,896 ----a-r C:\WINDOWS\system32\JGDW500.DLL
- 2001-09-17 15:48:26 15,360 ----a-r C:\WINDOWS\system32\JGEA500.DLL
+ 2001-09-17 14:48:26 15,360 ----a-r C:\WINDOWS\system32\JGEA500.DLL
- 2001-09-17 15:48:26 39,424 ----a-r C:\WINDOWS\system32\JGED500.DLL
+ 2001-09-17 14:48:26 39,424 ----a-r C:\WINDOWS\system32\JGED500.DLL
- 2001-09-17 15:48:26 11,264 ----a-r C:\WINDOWS\system32\JGEM500.DLL
+ 2001-09-17 14:48:26 11,264 ----a-r C:\WINDOWS\system32\JGEM500.DLL
- 2001-09-17 15:48:26 10,752 ----a-r C:\WINDOWS\system32\JGFI500.DLL
+ 2001-09-17 14:48:26 10,752 ----a-r C:\WINDOWS\system32\JGFI500.DLL
- 2001-09-17 15:48:26 67,072 ----a-r C:\WINDOWS\system32\JGFR500.DLL
+ 2001-09-17 14:48:26 67,072 ----a-r C:\WINDOWS\system32\JGFR500.DLL
- 2001-09-17 15:48:26 24,576 ----a-r C:\WINDOWS\system32\JGFS500.DLL
+ 2001-09-17 14:48:26 24,576 ----a-r C:\WINDOWS\system32\JGFS500.DLL
- 2001-09-17 15:48:26 12,800 ----a-r C:\WINDOWS\system32\JGGI500.DLL
+ 2001-09-17 14:48:26 12,800 ----a-r C:\WINDOWS\system32\JGGI500.DLL
- 2001-09-17 15:48:26 19,456 ----a-r C:\WINDOWS\system32\JGI1500.DLL
+ 2001-09-17 14:48:26 19,456 ----a-r C:\WINDOWS\system32\JGI1500.DLL
- 2001-09-17 15:48:26 41,984 ----a-r C:\WINDOWS\system32\JGI3500.DLL
+ 2001-09-17 14:48:26 41,984 ----a-r C:\WINDOWS\system32\JGI3500.DLL
- 2001-09-17 15:48:26 60,416 ----a-r C:\WINDOWS\system32\JGI5500.DLL
+ 2001-09-17 14:48:26 60,416 ----a-r C:\WINDOWS\system32\JGI5500.DLL
- 2001-09-17 15:48:26 11,264 ----a-r C:\WINDOWS\system32\JGID500.DLL
+ 2001-09-17 14:48:26 11,264 ----a-r C:\WINDOWS\system32\JGID500.DLL
- 2001-09-17 15:48:26 34,304 ----a-r C:\WINDOWS\system32\JGIP500.DLL
+ 2001-09-17 14:48:26 34,304 ----a-r C:\WINDOWS\system32\JGIP500.DLL
- 2001-09-17 15:48:26 6,656 ----a-r C:\WINDOWS\system32\JGIQ500.DLL
+ 2001-09-17 14:48:26 6,656 ----a-r C:\WINDOWS\system32\JGIQ500.DLL
- 2001-09-17 15:48:26 24,064 ----a-r C:\WINDOWS\system32\JGIT500.DLL
+ 2001-09-17 14:48:26 24,064 ----a-r C:\WINDOWS\system32\JGIT500.DLL
- 2001-09-17 15:48:26 74,240 ----a-r C:\WINDOWS\system32\JGM1500.DLL
+ 2001-09-17 14:48:26 74,240 ----a-r C:\WINDOWS\system32\JGM1500.DLL
- 2001-09-17 15:48:28 29,696 ----a-r C:\WINDOWS\system32\JGMC500.DLL
+ 2001-09-17 14:48:28 29,696 ----a-r C:\WINDOWS\system32\JGMC500.DLL
- 2001-09-17 15:48:28 7,168 ----a-r C:\WINDOWS\system32\JGME500.DLL
+ 2001-09-17 14:48:28 7,168 ----a-r C:\WINDOWS\system32\JGME500.DLL
- 2001-09-17 15:48:28 24,576 ----a-r C:\WINDOWS\system32\JGMI500.DLL
+ 2001-09-17 14:48:28 24,576 ----a-r C:\WINDOWS\system32\JGMI500.DLL
- 2001-09-17 15:48:28 11,264 ----a-r C:\WINDOWS\system32\JGMP500.DLL
+ 2001-09-17 14:48:28 11,264 ----a-r C:\WINDOWS\system32\JGMP500.DLL
- 2001-09-17 15:48:28 24,064 ----a-r C:\WINDOWS\system32\JGN1500.DLL
+ 2001-09-17 14:48:28 24,064 ----a-r C:\WINDOWS\system32\JGN1500.DLL
- 2001-09-17 15:48:28 80,384 ----a-r C:\WINDOWS\system32\JGOS500.DLL
+ 2001-09-17 14:48:28 80,384 ----a-r C:\WINDOWS\system32\JGOS500.DLL
- 2001-09-17 15:48:28 13,824 ----a-r C:\WINDOWS\system32\JGPD500.DLL
+ 2001-09-17 14:48:28 13,824 ----a-r C:\WINDOWS\system32\JGPD500.DLL
- 2001-09-17 15:48:28 15,872 ----a-r C:\WINDOWS\system32\JGPL500.DLL
+ 2001-09-17 14:48:28 15,872 ----a-r C:\WINDOWS\system32\JGPL500.DLL
- 2001-09-17 15:48:28 12,288 ----a-r C:\WINDOWS\system32\JGPP500.DLL
+ 2001-09-17 14:48:28 12,288 ----a-r C:\WINDOWS\system32\JGPP500.DLL
- 2001-09-17 15:48:28 33,280 ----a-r C:\WINDOWS\system32\JGS1500.DLL
+ 2001-09-17 14:48:28 33,280 ----a-r C:\WINDOWS\system32\JGS1500.DLL
- 2001-09-17 15:48:28 15,360 ----a-r C:\WINDOWS\system32\JGS3500.DLL
+ 2001-09-17 14:48:28 15,360 ----a-r C:\WINDOWS\system32\JGS3500.DLL
- 2001-09-17 15:48:28 21,504 ----a-r C:\WINDOWS\system32\JGSN500.DLL
+ 2001-09-17 14:48:28 21,504 ----a-r C:\WINDOWS\system32\JGSN500.DLL
- 2001-09-17 15:48:28 13,312 ----a-r C:\WINDOWS\system32\JGST500.DLL
+ 2001-09-17 14:48:28 13,312 ----a-r C:\WINDOWS\system32\JGST500.DLL
- 2001-09-17 15:48:54 163,840 ----a-r C:\WINDOWS\system32\lt_common.dll
+ 2001-09-17 14:48:54 163,840 ----a-r C:\WINDOWS\system32\lt_common.dll
- 2001-09-17 15:48:54 53,248 ----a-r C:\WINDOWS\system32\lt_encrypt.dll
+ 2001-09-17 14:48:54 53,248 ----a-r C:\WINDOWS\system32\lt_encrypt.dll
- 2001-09-17 15:48:54 20,480 ----a-r C:\WINDOWS\system32\lt_messagetext.dll
+ 2001-09-17 14:48:54 20,480 ----a-r C:\WINDOWS\system32\lt_messagetext.dll
- 2001-09-17 15:48:54 69,632 ----a-r C:\WINDOWS\system32\lt_meta.dll
+ 2001-09-17 14:48:54 69,632 ----a-r C:\WINDOWS\system32\lt_meta.dll
- 2001-09-17 15:48:54 126,976 ----a-r C:\WINDOWS\system32\lt_trans.dll
+ 2001-09-17 14:48:54 126,976 ----a-r C:\WINDOWS\system32\lt_trans.dll
- 2001-09-17 15:48:54 503,808 ----a-r C:\WINDOWS\system32\lt_xtrans.dll
+ 2001-09-17 14:48:54 503,808 ----a-r C:\WINDOWS\system32\lt_xtrans.dll
- 2001-09-17 15:48:54 286,720 ----a-r C:\WINDOWS\system32\MrSIDD.dll
+ 2001-09-17 14:48:54 286,720 ----a-r C:\WINDOWS\system32\MrSIDD.dll
- 2001-09-17 15:48:32 45,056 ----a-r C:\WINDOWS\system32\pscAdimg.dll
+ 2001-09-17 14:48:32 45,056 ----a-r C:\WINDOWS\system32\pscAdimg.dll
- 2001-09-17 15:48:32 110,592 ----a-r C:\WINDOWS\system32\pscCllct.dll
+ 2001-09-17 14:48:32 110,592 ----a-r C:\WINDOWS\system32\pscCllct.dll
- 2001-09-17 15:48:32 303,104 ----a-r C:\WINDOWS\system32\pscDcd.dll
+ 2001-09-17 14:48:32 303,104 ----a-r C:\WINDOWS\system32\pscDcd.dll
- 2001-09-17 15:48:32 167,936 ----a-r C:\WINDOWS\system32\pscDevUI.dll
+ 2001-09-17 14:48:32 167,936 ----a-r C:\WINDOWS\system32\pscDevUI.dll
- 2001-09-17 15:48:32 53,248 ----a-r C:\WINDOWS\system32\pscDvlp.dll
+ 2001-09-17 14:48:32 53,248 ----a-r C:\WINDOWS\system32\pscDvlp.dll
- 2001-09-17 15:48:32 163,840 ----a-r C:\WINDOWS\system32\Pscl2STI.dll
+ 2001-09-17 14:48:32 163,840 ----a-r C:\WINDOWS\system32\Pscl2STI.dll
- 2001-09-17 15:48:32 180,224 ----a-r C:\WINDOWS\system32\pscll.dll
+ 2001-09-17 14:48:32 180,224 ----a-r C:\WINDOWS\system32\pscll.dll
- 2001-09-17 15:48:32 159,744 ----a-r C:\WINDOWS\system32\pscParse.dll
+ 2001-09-17 14:48:32 159,744 ----a-r C:\WINDOWS\system32\pscParse.dll
- 2001-09-17 15:48:32 86,016 ----a-r C:\WINDOWS\system32\pscSetup.dll
+ 2001-09-17 14:48:32 86,016 ----a-r C:\WINDOWS\system32\pscSetup.dll
- 2001-09-17 15:48:32 327,680 ----a-r C:\WINDOWS\system32\psdkdll.dll
+ 2001-09-17 14:48:32 327,680 ----a-r C:\WINDOWS\system32\psdkdll.dll
- 2001-09-17 15:48:32 57,344 ----a-r C:\WINDOWS\system32\psdkReg.dll
+ 2001-09-17 14:48:32 57,344 ----a-r C:\WINDOWS\system32\psdkReg.dll
- 2001-09-17 15:48:32 102,400 ----a-r C:\WINDOWS\system32\psParse.dll
+ 2001-09-17 14:48:32 102,400 ----a-r C:\WINDOWS\system32\psParse.dll
- 2001-06-21 01:21:42 1,056,768 ----a-r C:\WINDOWS\system32\RoboEx32.dll
+ 2001-09-17 14:49:20 317,952 ----a-r C:\WINDOWS\system32\Roboex32.dll
- 2001-09-17 15:49:20 315,392 ----a-r C:\WINDOWS\system32\SoapActor.dll
+ 2001-09-17 14:49:20 315,392 ----a-r C:\WINDOWS\system32\SoapActor.dll
- 2001-09-17 15:49:20 118,784 ----a-r C:\WINDOWS\system32\Transport.dll
+ 2001-09-17 14:49:20 118,784 ----a-r C:\WINDOWS\system32\Transport.dll
- 2001-09-17 15:48:48 49,152 ----a-r C:\WINDOWS\system32\TransportIrCOMM.dll
+ 2001-09-17 14:48:48 49,152 ----a-r C:\WINDOWS\system32\TransportIrCOMM.dll
- 2001-09-17 15:48:48 49,152 ----a-r C:\WINDOWS\system32\TransportIrDA.dll
+ 2001-09-17 14:48:48 49,152 ----a-r C:\WINDOWS\system32\TransportIrDA.dll
- 2001-09-17 15:48:48 49,152 ----a-r C:\WINDOWS\system32\TransportSerial.dll
+ 2001-09-17 14:48:48 49,152 ----a-r C:\WINDOWS\system32\TransportSerial.dll
- 2001-09-17 15:48:48 49,152 ----a-r C:\WINDOWS\system32\TransportUSB.dll
+ 2001-09-17 14:48:48 49,152 ----a-r C:\WINDOWS\system32\TransportUSB.dll
- 2001-09-17 15:49:22 421,888 ----a-r C:\WINDOWS\system32\XMLParser.dll
+ 2001-09-17 14:49:22 421,888 ----a-r C:\WINDOWS\system32\XMLParser.dll
+ 2008-09-30 14:47:00 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_65c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-09 53248]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 7204864]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-04 86016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-09-29 140696]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 C:\WINDOWS\stsystra.exe]
"nwiz"="nwiz.exe" [2005-11-04 C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-05-05 33952]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CHECKI~1\BCMNTIO.sys [2004-03-05 3744]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-09-29 152984]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CHECKI~1\MAPMEM.sys [2004-03-05 3904]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-10-12 71096]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-10 38528]

*Newly Created Service* - COMHOST
*Newly Created Service* - ERASERUTILDRVI7
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\ut0fmt69.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://news.google.com/nwshp?client=firefox-a&rls=org.mozilla:en-US:official&hl=en&tab=wn
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 11:58:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-09-30 12:49:28
ComboFix-quarantined-files.txt 2008-09-30 17:49:23
ComboFix2.txt 2008-09-28 21:14:50

Pre-Run: 70,691,127,296 bytes free
Post-Run: 70,677,086,208 bytes free

402 --- E O F --- 2008-09-16 08:00:58


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:13 PM, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\DrvMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI31D0~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://liuhaihong2.blog.163.com
O15 - Trusted Zone: http://www.mcmaster.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {13EC470D-6583-42A3-B07D-648F70BC5CA0} - http://extranet.protomold.net/ProtoView/current/setup.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://chil.solidworks.com/htdocs/pdownload/edrawings/e2008sp02/cab/eModelsStandard.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485616984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.quickparts.com/java/XUpload.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10387 bytes


Thanks!
pskelley
2008-10-01, 00:22
Please post only the information I request, let's try another scan:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
chicagokeith
2008-10-04, 20:51
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 03, 2008 17:55:58
Records in database: 1286557
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
U:\
V:\
W:\

Scan statistics:
Files scanned: 876257
Threat name: 7
Infected objects: 10
Suspicious objects: 4
Duration of the scan: 09:50:02


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B072F644-4ACA-471C-B6D9-54FA6C621A70}\{8F83A074-1CF5-4153-A85A-03B8A69AB026}.qbi Infected: VirTool.DOS.TPE 1
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Outlook\BACKUPS\LEADS & VIA.pst Infected: Trojan-Clicker.HTML.Agent.ag 1
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Outlook\LEADS & VIA.pst Infected: Trojan-Clicker.HTML.Agent.ag 1
C:\Documents and Settings\Keith\My Documents\STI STuff\Steve Jones\SJs email\SJ\StevesOutlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Keith\My Documents\STI STuff\Steve Jones\StevesOutlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\QooBox\Quarantine\C\WINDOWS\system32\winkve32.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.vcia 1
V:\- - - Program Installs - - -\Multi Media\ossmcp.exe Infected: not-a-virus:AdWare.Win32.NavExcel 4
V:\- - - Program Installs - - -\Multi Media\ossmcp.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 1
V:\Computing & Internet\Virtual Network Computing\vnc-3.3.3r9_x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

The selected area was scanned.
pskelley
2008-10-04, 21:11
Kaspersky Online Scanner Friday, October 03, 2008 17:55:58
I suggest you do this:

(Delete the contents of that QBackup folder...have never seen that folder before, you may want to ask Symantec about it?)
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B072F644-4ACA-471C-B6D9-54FA6C621A70}\{8F83A074-1CF5-4153-A85A-03B8A69AB026}.qbi ------> VirTool.DOS.TPE 1

(delete the files in red)
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Outlook\BACKUPS\LEADS & VIA.pst ------> Trojan-Clicker.HTML.Agent.ag 1
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Outlook\LEADS & VIA.pst ------> Trojan-Clicker.HTML.Agent.ag 1

(delete the email in red)
C:\Documents and Settings\Keith\My Documents\STI STuff\Steve Jones\SJs email\SJ\StevesOutlook.pst <------Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Keith\My Documents\STI STuff\Steve Jones\StevesOutlook.pst <------Trojan-Spy.HTML.Fraud.gen 2

(this item will be removed when we remove combofix)
C:\QooBox\Quarantine\C\WINDOWS\system32\winkve32.dll.vir ------> Trojan-Downloader.Win32.FraudLoad.vcia 1

(no idea what the V:\ is but if it is a flash drive or USB drive, it is likely infected. I would delete anything you see on your computer and format that drive if it is removable media)
V:\- - - Program Installs - - -\Multi Media\ossmcp.exe ------> AdWare.Win32.NavExcel 4
V:\- - - Program Installs - - -\Multi Media\ossmcp.exe ------> AdWare.Win32.HelpExpress 1
V:\Computing & Internet\Virtual Network Computing\vnc-3.3.3r9_x86_win32.zip ------> RemoteAdmin.Win32.WinVNC.333 1


Post an uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

I suggest you start looking at this information:
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomp


Let me know how the computer is running now.

Thanks
pskelley
2008-10-09, 23:46
Let me know how the computer is running now.
2008-10-04, 14:11 <<< no response since

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.