View Full Version : HELP: Cannot Permanently "Fix" Virtumonde.sci
Please Help! Spybot S&D version 1.6.2.46 with latest detection updates (5/27/09) detected Virtumonde.sci. Tried several times to "fix", but will not permanently delete. Not detected by Symantec Antivirus. Saved ERUNT log file and disabled TeaTime. HiJackThis file below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:38 PM, on 5/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\yProxy\yProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://middlegeorgia.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SpyBot\SDHelper.dll
O2 - BHO: (no name) - {73b34e55-8c4f-4131-b7b2-121b9dfdf037} - (no file)
O2 - BHO: (no name) - {7C868031-55A6-41EB-8D48-85C13552D78A} - (no file)
O2 - BHO: (no name) - {80F66977-8258-4A21-9B72-A10E6FE4B86F} - (no file)
O2 - BHO: (no name) - {95FA38AE-6AAE-426C-AAA4-023B6156821D} - (no file)
O2 - BHO: (no name) - {D3D22D49-91AD-4699-93E1-0D25881C13F1} - (no file)
O2 - BHO: (no name) - {de65c069-4ea1-4797-9dcd-834f7b372c28} - (no file)
O2 - BHO: (no name) - {E299C2D6-B360-4F84-B2C0-F8BC8FD787D3} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Regscan]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Charles\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: yProxy.lnk = C:\Program Files\yProxy\yProxy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SpyBot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SpyBot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.04.03&unknown&unknown&http://www.kia.com/newspectra/spectra-zoomview.php
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228585501687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228585480796
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Packet Sender - Unknown owner - C:\Documents and Settings\Charles\Application Data\Userinit.exe (file missing)
--
End of file - 10620 bytes
pskelley
2009-05-31, 15:49
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions.
Two things concern me in the HJT log, and stuff may be hidden from HJT also.
O4 - HKCU\..\Run: [Regscan] <<< incomplete item which may be this:
http://www.systemlookup.com/Startup/10188.html
http://www.sophos.com/security/analyses/viruses-and-spyware/trojoptixse.html
I can not say for sure because the executable is not showing? It may be benign?
O23 - Service: Windows Packet Sender - Unknown owner - C:\Documents and Settings\Charles\Application Data\Userinit.exe
Not having seen this service before, do you know it? IF NOT:
Make sure you can view all files and folders:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
Use this scan to scan that file in RED.
(make sure you follow that exact pathway, Userinit.exe elsewhere would be a valid file)
http://virusscan.jotti.org/ and post the results.
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from here:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
I made sure that all hidden files were shown and could not find the Userinit.exe file at the location in the HiJackThis log from yesterday - no file to scan with Jotti's malware scan.
Downloaded and ran ComboFix - log below:
ComboFix 09-05-30.04 - Charles 05/31/2009 10:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.232 [GMT -4:00]
Running from: c:\documents and settings\Charles\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\windows\db32.txt
c:\windows\IE4 Error Log.txt
c:\windows\system32\bfvyewam.dll
c:\windows\system32\dtwqmueh.dll
c:\windows\system32\haqrwvtf.dll
c:\windows\system32\iadrxmrl.dll
c:\windows\system32\ijetcwma.dll
c:\windows\system32\lnhlfejf.dll
c:\windows\system32\maweyvfb.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mlJArpPf.dll
c:\windows\system32\msfontsft.dll
c:\windows\system32\mssockiw.dll
c:\windows\system32\oakjxmkc.dll
c:\windows\system32\oaktfx.dll
c:\windows\system32\okvrptqk.dll
c:\windows\system32\pkshnutb.dll
c:\windows\system32\qnmsqayl.dll
c:\windows\system32\qqhsxroa.dll
c:\windows\system32\qqxkwlnx.dll
c:\windows\system32\rorluydo.dll
c:\windows\system32\TDSSehys.dll
c:\windows\system32\umdgmq.dll
c:\windows\system32\veglpjrw.dll
c:\windows\system32\wgubnt.dll
c:\windows\system32\woaoznte.dll
c:\windows\system32\yusribkq.dll
c:\windows\wiaserviv.log
c:\windows\wiaservv.log
c:\windows\ws386.ini
G:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.
2009-05-30 20:25 . 2009-05-30 20:26 -------- d-----w- c:\program files\ERUNT
2009-05-30 17:26 . 2009-05-30 17:31 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-30 14:21 . 2009-05-30 14:21 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-20 02:12 . 2008-12-17 18:39 6529320 ---ha-w- c:\documents and settings\Charles\Application Data\mjusbsp\in00000\setup.exe
2009-05-20 02:12 . 2008-12-17 18:37 723120 ---ha-w- c:\documents and settings\Charles\Application Data\mjusbsp\ar00000\install.exe
2009-05-20 02:12 . 2008-02-29 12:42 386496 ----a-w- c:\documents and settings\Charles\Application Data\mjusbsp\ar00000\magicJackSplash.exe
2009-05-12 22:39 . 2009-05-12 22:39 -------- d-----w- C:\Downloads
2009-05-12 00:49 . 2009-05-31 14:33 -------- d-----w- c:\program files\FlashGet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 14:38 . 2008-03-01 15:12 -------- d-----w- c:\program files\Symantec AntiVirus
2009-05-31 13:42 . 2007-09-16 15:32 -------- d-----w- c:\program files\Visual CD
2009-05-31 10:35 . 2008-08-22 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-30 20:55 . 2009-05-30 20:51 -------- d-----w- c:\program files\Trend Micro
2009-05-30 14:21 . 2008-03-19 22:45 -------- d-----w- c:\documents and settings\Charles\Application Data\mjusbsp
2009-04-25 13:31 . 2006-08-19 06:44 -------- d-----w- c:\program files\Google
2009-04-05 00:33 . 2009-04-05 00:31 -------- d-----w- c:\program files\TubeHunter Ultra
2009-04-05 00:32 . 2009-04-05 00:32 131072 ----a-r- c:\documents and settings\Charles\Application Data\Microsoft\Installer\{3254FD51-9910-48C4-AC9B-AF3691C1544C}\NewShortcut3_3254FD51991048C4AC9BAF3691C1544C.exe
2009-04-05 00:32 . 2009-04-05 00:32 131072 ----a-r- c:\documents and settings\Charles\Application Data\Microsoft\Installer\{3254FD51-9910-48C4-AC9B-AF3691C1544C}\NewShortcut1_3254FD51991048C4AC9BAF3691C1544C.exe
2009-04-05 00:32 . 2009-04-05 00:32 10134 ----a-r- c:\documents and settings\Charles\Application Data\Microsoft\Installer\{3254FD51-9910-48C4-AC9B-AF3691C1544C}\ARPPRODUCTICON.exe
2009-04-04 21:55 . 2007-04-29 02:00 -------- d-----w- c:\program files\TubeHunter
2009-03-08 08:34 . 2004-08-12 14:09 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-12 13:59 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-12 13:56 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-12 14:08 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-12 13:55 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-12 13:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-12 13:58 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-12 14:00 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-12 14:00 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-12 14:00 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-12 14:03 284160 ----a-w- c:\windows\system32\pdh.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"cdloader"="c:\documents and settings\Charles\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2005-03-14 335970]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
c:\documents and settings\Charles\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
yProxy.lnk - c:\program files\yProxy\yProxy.exe [2005-9-16 675328]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Documents and Settings\\Charles\\Application Data\\mjusbsp\\magicJack.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19693:TCP"= 19693:TCP:PORT_19693
"10851:TCP"= 10851:TCP:PORT_10851
"58771:TCP"= 58771:TCP:PORT_58771
"53256:TCP"= 53256:TCP:PORT_53256
"48868:TCP"= 48868:TCP:PORT_48868
"15861:TCP"= 15861:TCP:PORT_15861
"11020:TCP"= 11020:TCP:PORT_11020
"12332:TCP"= 12332:TCP:PORT_12332
"41328:TCP"= 41328:TCP:PORT_41328
"29570:TCP"= 29570:TCP:PORT_29570
"21693:TCP"= 21693:TCP:PORT_21693
"37484:TCP"= 37484:TCP:PORT_37484
"5193:TCP"= 5193:TCP:PORT_5193
"10508:TCP"= 10508:TCP:PORT_10508
"16348:TCP"= 16348:TCP:PORT_16348
"42195:TCP"= 42195:TCP:PORT_42195
"25438:TCP"= 25438:TCP:PORT_25438
"28141:TCP"= 28141:TCP:PORT_28141
"65404:TCP"= 65404:TCP:PORT_65404
"15063:TCP"= 15063:TCP:PORT_15063
"52346:TCP"= 52346:TCP:PORT_52346
"24350:TCP"= 24350:TCP:PORT_24350
"37661:TCP"= 37661:TCP:PORT_37661
"15122:TCP"= 15122:TCP:PORT_15122
"56343:TCP"= 56343:TCP:PORT_56343
"22603:TCP"= 22603:TCP:PORT_22603
"53868:TCP"= 53868:TCP:PORT_53868
"23586:TCP"= 23586:TCP:PORT_23586
"53833:TCP"= 53833:TCP:PORT_53833
"34429:TCP"= 34429:TCP:PORT_34429
"15513:TCP"= 15513:TCP:PORT_15513
"11147:TCP"= 11147:TCP:PORT_11147
"64908:TCP"= 64908:TCP:PORT_64908
"20326:TCP"= 20326:TCP:PORT_20326
"42390:TCP"= 42390:TCP:PORT_42390
"20951:TCP"= 20951:TCP:PORT_20951
"50181:TCP"= 50181:TCP:PORT_50181
"31110:TCP"= 31110:TCP:PORT_31110
"17325:TCP"= 17325:TCP:PORT_17325
"11725:TCP"= 11725:TCP:PORT_11725
"47876:TCP"= 47876:TCP:PORT_47876
"42527:TCP"= 42527:TCP:PORT_42527
"29130:TCP"= 29130:TCP:PORT_29130
"53900:TCP"= 53900:TCP:PORT_53900
"27606:TCP"= 27606:TCP:PORT_27606
"29133:TCP"= 29133:TCP:PORT_29133
"27444:TCP"= 27444:TCP:PORT_27444
"19463:TCP"= 19463:TCP:PORT_19463
"34583:TCP"= 34583:TCP:PORT_34583
"32266:TCP"= 32266:TCP:PORT_32266
"35400:TCP"= 35400:TCP:PORT_35400
"33911:TCP"= 33911:TCP:PORT_33911
"21531:TCP"= 21531:TCP:PORT_21531
"5372:TCP"= 5372:TCP:PORT_5372
"64020:TCP"= 64020:TCP:PORT_64020
"10808:TCP"= 10808:TCP:PORT_10808
"43099:TCP"= 43099:TCP:PORT_43099
"9034:TCP"= 9034:TCP:PORT_9034
"59227:TCP"= 59227:TCP:PORT_59227
"10768:TCP"= 10768:TCP:PORT_10768
"56750:TCP"= 56750:TCP:PORT_56750
"54595:TCP"= 54595:TCP:PORT_54595
"19904:TCP"= 19904:TCP:PORT_19904
"43088:TCP"= 43088:TCP:PORT_43088
"51841:TCP"= 51841:TCP:PORT_51841
"36938:TCP"= 36938:TCP:PORT_36938
"15350:TCP"= 15350:TCP:PORT_15350
"45964:TCP"= 45964:TCP:PORT_45964
"58766:TCP"= 58766:TCP:PORT_58766
"18436:TCP"= 18436:TCP:PORT_18436
"60396:TCP"= 60396:TCP:PORT_60396
"33551:TCP"= 33551:TCP:PORT_33551
"64963:TCP"= 64963:TCP:PORT_64963
"41789:TCP"= 41789:TCP:PORT_41789
"11515:TCP"= 11515:TCP:PORT_11515
"46755:TCP"= 46755:TCP:PORT_46755
"14824:TCP"= 14824:TCP:PORT_14824
"28135:TCP"= 28135:TCP:PORT_28135
"37388:TCP"= 37388:TCP:PORT_37388
"18590:TCP"= 18590:TCP:PORT_18590
"15271:TCP"= 15271:TCP:PORT_15271
"7781:TCP"= 7781:TCP:PORT_7781
"54201:TCP"= 54201:TCP:PORT_54201
"12010:TCP"= 12010:TCP:PORT_12010
"20015:TCP"= 20015:TCP:PORT_20015
"25509:TCP"= 25509:TCP:PORT_25509
"37895:TCP"= 37895:TCP:PORT_37895
"12285:TCP"= 12285:TCP:PORT_12285
"45651:TCP"= 45651:TCP:PORT_45651
"62266:TCP"= 62266:TCP:PORT_62266
"47919:TCP"= 47919:TCP:PORT_47919
"31828:TCP"= 31828:TCP:PORT_31828
"54610:TCP"= 54610:TCP:PORT_54610
"50707:TCP"= 50707:TCP:PORT_50707
"21698:TCP"= 21698:TCP:PORT_21698
"16100:TCP"= 16100:TCP:PORT_16100
"5880:TCP"= 5880:TCP:PORT_5880
"50815:TCP"= 50815:TCP:PORT_50815
"64985:TCP"= 64985:TCP:PORT_64985
"33040:TCP"= 33040:TCP:PORT_33040
"29614:TCP"= 29614:TCP:PORT_29614
"46013:TCP"= 46013:TCP:PORT_46013
"24476:TCP"= 24476:TCP:PORT_24476
"13780:TCP"= 13780:TCP:PORT_13780
"20918:TCP"= 20918:TCP:PORT_20918
"50427:TCP"= 50427:TCP:PORT_50427
"28356:TCP"= 28356:TCP:PORT_28356
"26622:TCP"= 26622:TCP:PORT_26622
"54525:TCP"= 54525:TCP:PORT_54525
"47710:TCP"= 47710:TCP:PORT_47710
"56068:TCP"= 56068:TCP:PORT_56068
"23905:TCP"= 23905:TCP:PORT_23905
"12731:TCP"= 12731:TCP:PORT_12731
"30310:TCP"= 30310:TCP:PORT_30310
"33154:TCP"= 33154:TCP:PORT_33154
"46009:TCP"= 46009:TCP:PORT_46009
"35706:TCP"= 35706:TCP:PORT_35706
"36594:TCP"= 36594:TCP:PORT_36594
"21036:TCP"= 21036:TCP:PORT_21036
"45868:TCP"= 45868:TCP:PORT_45868
"30856:TCP"= 30856:TCP:PORT_30856
"39403:TCP"= 39403:TCP:PORT_39403
"27560:TCP"= 27560:TCP:PORT_27560
"61391:TCP"= 61391:TCP:PORT_61391
"63946:TCP"= 63946:TCP:PORT_63946
"46328:TCP"= 46328:TCP:PORT_46328
"54037:TCP"= 54037:TCP:PORT_54037
"55395:TCP"= 55395:TCP:PORT_55395
"52704:TCP"= 52704:TCP:PORT_52704
"42431:TCP"= 42431:TCP:PORT_42431
"49648:TCP"= 49648:TCP:PORT_49648
"9208:TCP"= 9208:TCP:PORT_9208
"56666:TCP"= 56666:TCP:PORT_56666
"11370:TCP"= 11370:TCP:PORT_11370
"47701:TCP"= 47701:TCP:PORT_47701
"23685:TCP"= 23685:TCP:PORT_23685
"62514:TCP"= 62514:TCP:PORT_62514
"29661:TCP"= 29661:TCP:PORT_29661
"40165:TCP"= 40165:TCP:PORT_40165
"42196:TCP"= 42196:TCP:PORT_42196
"60316:TCP"= 60316:TCP:PORT_60316
"10325:TCP"= 10325:TCP:PORT_10325
"54266:TCP"= 54266:TCP:PORT_54266
"33301:TCP"= 33301:TCP:PORT_33301
"26090:TCP"= 26090:TCP:PORT_26090
"63004:TCP"= 63004:TCP:PORT_63004
"28138:TCP"= 28138:TCP:PORT_28138
"12004:TCP"= 12004:TCP:PORT_12004
"39082:TCP"= 39082:TCP:PORT_39082
"57395:TCP"= 57395:TCP:PORT_57395
"52680:TCP"= 52680:TCP:PORT_52680
"13430:TCP"= 13430:TCP:PORT_13430
"54295:TCP"= 54295:TCP:PORT_54295
"52621:TCP"= 52621:TCP:PORT_52621
"19431:TCP"= 19431:TCP:PORT_19431
"31969:TCP"= 31969:TCP:PORT_31969
"52578:TCP"= 52578:TCP:PORT_52578
"42630:TCP"= 42630:TCP:PORT_42630
"9482:TCP"= 9482:TCP:PORT_9482
"6938:TCP"= 6938:TCP:PORT_6938
"42056:TCP"= 42056:TCP:PORT_42056
"27540:TCP"= 27540:TCP:PORT_27540
"12516:TCP"= 12516:TCP:PORT_12516
"49340:TCP"= 49340:TCP:PORT_49340
"29087:TCP"= 29087:TCP:PORT_29087
"44063:TCP"= 44063:TCP:PORT_44063
"43341:TCP"= 43341:TCP:PORT_43341
"13783:TCP"= 13783:TCP:PORT_13783
"5406:TCP"= 5406:TCP:PORT_5406
"19153:TCP"= 19153:TCP:PORT_19153
"24297:TCP"= 24297:TCP:PORT_24297
"50331:TCP"= 50331:TCP:PORT_50331
"54498:TCP"= 54498:TCP:PORT_54498
"57516:TCP"= 57516:TCP:PORT_57516
"18489:TCP"= 18489:TCP:PORT_18489
"11193:TCP"= 11193:TCP:PORT_11193
"37794:TCP"= 37794:TCP:PORT_37794
"25485:TCP"= 25485:TCP:PORT_25485
"57066:TCP"= 57066:TCP:PORT_57066
"31092:TCP"= 31092:TCP:PORT_31092
"27621:TCP"= 27621:TCP:PORT_27621
"22051:TCP"= 22051:TCP:PORT_22051
"49160:TCP"= 49160:TCP:PORT_49160
"56000:TCP"= 56000:TCP:PORT_56000
"43926:TCP"= 43926:TCP:PORT_43926
"35582:TCP"= 35582:TCP:PORT_35582
"39787:TCP"= 39787:TCP:PORT_39787
"64891:TCP"= 64891:TCP:PORT_64891
"16316:TCP"= 16316:TCP:PORT_16316
"18362:TCP"= 18362:TCP:PORT_18362
"41036:TCP"= 41036:TCP:PORT_41036
"6458:TCP"= 6458:TCP:PORT_6458
"34953:TCP"= 34953:TCP:PORT_34953
"59957:TCP"= 59957:TCP:PORT_59957
"58388:TCP"= 58388:TCP:PORT_58388
"38151:TCP"= 38151:TCP:PORT_38151
"33700:TCP"= 33700:TCP:PORT_33700
"48688:TCP"= 48688:TCP:PORT_48688
"45293:TCP"= 45293:TCP:PORT_45293
"6828:TCP"= 6828:TCP:PORT_6828
"16641:TCP"= 16641:TCP:PORT_16641
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 8:56 PM 101936]
S2 Windows Packet Sender;Windows Packet Sender;c:\documents and settings\Charles\Application Data\Userinit.exe srv --> c:\documents and settings\Charles\Application Data\Userinit.exe srv [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 7:34 AM 115952]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-05-31 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 19:28]
2009-05-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2009-05-31 c:\windows\Tasks\User_Feed_Synchronization-{FD0FBCD3-6693-46EC-B6E0-663F3AC77280}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
- - - - ORPHANS REMOVED - - - -
BHO-{73b34e55-8c4f-4131-b7b2-121b9dfdf037} - (no file)
BHO-{7C868031-55A6-41EB-8D48-85C13552D78A} - (no file)
BHO-{80F66977-8258-4A21-9B72-A10E6FE4B86F} - (no file)
BHO-{95FA38AE-6AAE-426C-AAA4-023B6156821D} - (no file)
BHO-{D3D22D49-91AD-4699-93E1-0D25881C13F1} - (no file)
BHO-{de65c069-4ea1-4797-9dcd-834f7b372c28} - (no file)
BHO-{E299C2D6-B360-4F84-B2C0-F8BC8FD787D3} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
SafeBoot-procexp90.Sys
SafeBoot-TDSSpaxt.sys
SafeBoot-TDSSpxoe.sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://middlegeorgia.cox.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: taxactonline.com\www
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 10:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-05-31 10:44
ComboFix-quarantined-files.txt 2009-05-31 14:44
Pre-Run: 3,803,832,320 bytes free
Post-Run: 4,706,762,752 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
383 --- E O F --- 2009-05-21 19:23
I had to re-boot my computer after the ComboFix scan an then ran a HiJackThis scan - log below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:59 AM, on 5/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\yProxy\yProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://middlegeorgia.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SpyBot\SDHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Charles\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: yProxy.lnk = C:\Program Files\yProxy\yProxy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SpyBot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SpyBot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228585501687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228585480796
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Packet Sender - Unknown owner - C:\Documents and Settings\Charles\Application Data\Userinit.exe (file missing)
--
End of file - 9394 bytes
and then ran an uninstall list:
7-Zip 4.58 beta
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Adobe Shockwave Player
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Authentium Web Install Helper
Broadcom Gigabit Integrated Controller
CDisplay 1.8
Cole2k Media - Codec Pack (Advanced) 6.0.9
Cox Online Support Controls
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell ResourceCD
DellConnect
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
ERUNT 1.1j
FlashGet 1.9.6.1073
FLV Player 1.3.3
GrabIt 1.7.2 Beta 3 (build 996)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP LaserJet P1000 series
HPCarePackCore
HPCarePackProducts
HPSSupply
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Matrix Storage Manager
IrfanView (remove only)
Jasc Paint Shop Photo Album
LiveUpdate 3.0 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MrvlUsgTracking
MSN
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH® Jukebox
PowerDVD 5.3
QuickPar 0.9
QuickTime Alternative 1.67
Real Alternative 1.7.5 Lite
Registry Mechanic 8.0
Seagate Manager Installer
Seagate Manager Installer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy
StorageSync Backup Software
Symantec AntiVirus
TubeHunter
TubeHunter Ultra
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6f
Visual CD
WebCyberCoach 3.2 Dell
Wiagra Video Joiner 3
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
winpcap-nmap 4.02
WinRAR archiver
yProxy
That's what I've done so far.
Thanks again,
dwv306
pskelley
2009-05-31, 20:27
Let's look at the uninstall list first.
Adobe Flash Player 10 ActiveX <<< check this:
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Adobe Reader 9 <<< check this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://www.filehippo.com/download_adobe_reader/
Can I assume from your comments that you do not know what this is:
O23 - Service: Windows Packet Sender - Unknown owner - C:\Documents and Settings\Charles\Application Data\Userinit.exe
Windows Packet Sender is not in the List of Services I have, see this:
http://www.systemlookup.com/lists.php?list=8&type=filename&search=Windows+Packet+Sender+&s=
Continue carefully and in the numbered order.
1) Let's disable that service like this:
Disable the offending Service
Click Start < Run and type services.msc
Scroll down Windows Packet Sender to and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\Documents and Settings\Charles\Application Data\Userinit.exe
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running now?
Thanks...Phil
Phil,
Thanks for ALL of your help with this issue. I uninstalled the older versions of both Adobe Flash Player 10 ActiveX and Adobe Reader 9 and downloaded/installed the most recent versions (FP 10.0.22.87 and Reader 9.1).
I do NOT know what the file "Windows Packet Sender" is and disabled it following your instructions. I downloaded ATF Cleaner, created the notepad file CFScript.txt and ran ComboFix.exe again. After completion, it did NOT save the CFScript.txt file, but did create the ComboFix.txt log file posted below:
ComboFix 09-05-31.02 - Charles 05/31/2009 17:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.212 [GMT -4:00]
Running from: c:\documents and settings\Charles\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Charles\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FILE ::
"c:\documents and settings\Charles\Application Data\Userinit.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
G:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.
2009-05-31 20:54 . 2009-05-31 20:54 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-31 20:47 . 2009-05-31 20:52 -------- d-----w- c:\program files\Adobe Reader
2009-05-31 20:06 . 2009-05-31 21:01 -------- d-----w- c:\windows\LastGood
2009-05-30 20:51 . 2009-05-31 15:12 -------- d-----w- c:\program files\Trend Micro
2009-05-30 20:25 . 2009-05-30 20:26 -------- d-----w- c:\program files\ERUNT
2009-05-30 17:26 . 2009-05-30 17:31 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-30 14:21 . 2009-05-30 14:21 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-20 02:12 . 2008-12-17 18:39 6529320 ---ha-w- c:\documents and settings\Charles\Application Data\mjusbsp\in00000\setup.exe
2009-05-20 02:12 . 2008-12-17 18:37 723120 ---ha-w- c:\documents and settings\Charles\Application Data\mjusbsp\ar00000\install.exe
2009-05-20 02:12 . 2008-02-29 12:42 386496 ----a-w- c:\documents and settings\Charles\Application Data\mjusbsp\ar00000\magicJackSplash.exe
2009-05-12 22:39 . 2009-05-12 22:39 -------- d-----w- C:\Downloads
2009-05-12 00:49 . 2009-05-31 21:29 -------- d-----w- c:\program files\FlashGet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 21:35 . 2008-03-01 15:12 -------- d-----w- c:\program files\Symantec AntiVirus
2009-05-31 20:53 . 2005-06-28 22:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-31 17:50 . 2007-09-16 15:32 -------- d-----w- c:\program files\Visual CD
2009-05-31 15:01 . 2008-08-22 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-30 14:21 . 2008-03-19 22:45 -------- d-----w- c:\documents and settings\Charles\Application Data\mjusbsp
2009-04-25 13:31 . 2006-08-19 06:44 -------- d-----w- c:\program files\Google
2009-04-05 00:33 . 2009-04-05 00:31 -------- d-----w- c:\program files\TubeHunter Ultra
2009-04-05 00:32 . 2009-04-05 00:32 131072 ----a-r- c:\documents and settings\Charles\Application Data\Microsoft\Installer\{3254FD51-9910-48C4-AC9B-AF3691C1544C}\NewShortcut3_3254FD51991048C4AC9BAF3691C1544C.exe
2009-04-05 00:32 . 2009-04-05 00:32 131072 ----a-r- c:\documents and settings\Charles\Application Data\Microsoft\Installer\{3254FD51-9910-48C4-AC9B-AF3691C1544C}\NewShortcut1_3254FD51991048C4AC9BAF3691C1544C.exe
2009-04-05 00:32 . 2009-04-05 00:32 10134 ----a-r- c:\documents and settings\Charles\Application Data\Microsoft\Installer\{3254FD51-9910-48C4-AC9B-AF3691C1544C}\ARPPRODUCTICON.exe
2009-04-04 21:55 . 2007-04-29 02:00 -------- d-----w- c:\program files\TubeHunter
2009-03-08 08:34 . 2004-08-12 14:09 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-12 13:59 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-12 13:56 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-12 14:08 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-12 13:55 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-12 13:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-12 13:58 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-12 14:00 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-12 14:00 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-12 14:00 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-12 14:03 284160 ----a-w- c:\windows\system32\pdh.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-31_14.41.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-31 21:02 . 2009-05-31 21:02 89102 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2009-02-27 01:28 . 2009-02-27 01:28 89102 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-09-15 17:22 . 2008-09-15 17:22 59719 c:\windows\system32\Macromed\Download\Install.exe
+ 2009-05-31 21:01 . 2008-09-15 17:22 59719 c:\windows\LastGood\system32\Macromed\Download\Install.exe
+ 2008-09-15 17:22 . 2008-09-15 17:22 112016 c:\windows\system32\Macromed\Download\Download.dll
+ 2009-04-04 23:59 . 2009-05-31 20:55 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-04-04 23:59 . 2009-05-30 23:39 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-05-31 21:01 . 2008-09-15 17:22 112016 c:\windows\LastGood\system32\Macromed\Download\Download.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"cdloader"="c:\documents and settings\Charles\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2005-03-14 335970]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe Reader\Reader\Reader_sl.exe" [2009-02-27 35696]
c:\documents and settings\Charles\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
yProxy.lnk - c:\program files\yProxy\yProxy.exe [2005-9-16 675328]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Documents and Settings\\Charles\\Application Data\\mjusbsp\\magicJack.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19693:TCP"= 19693:TCP:PORT_19693
"10851:TCP"= 10851:TCP:PORT_10851
"58771:TCP"= 58771:TCP:PORT_58771
"53256:TCP"= 53256:TCP:PORT_53256
"48868:TCP"= 48868:TCP:PORT_48868
"15861:TCP"= 15861:TCP:PORT_15861
"11020:TCP"= 11020:TCP:PORT_11020
"12332:TCP"= 12332:TCP:PORT_12332
"41328:TCP"= 41328:TCP:PORT_41328
"29570:TCP"= 29570:TCP:PORT_29570
"21693:TCP"= 21693:TCP:PORT_21693
"37484:TCP"= 37484:TCP:PORT_37484
"5193:TCP"= 5193:TCP:PORT_5193
"10508:TCP"= 10508:TCP:PORT_10508
"16348:TCP"= 16348:TCP:PORT_16348
"42195:TCP"= 42195:TCP:PORT_42195
"25438:TCP"= 25438:TCP:PORT_25438
"28141:TCP"= 28141:TCP:PORT_28141
"65404:TCP"= 65404:TCP:PORT_65404
"15063:TCP"= 15063:TCP:PORT_15063
"52346:TCP"= 52346:TCP:PORT_52346
"24350:TCP"= 24350:TCP:PORT_24350
"37661:TCP"= 37661:TCP:PORT_37661
"15122:TCP"= 15122:TCP:PORT_15122
"56343:TCP"= 56343:TCP:PORT_56343
"22603:TCP"= 22603:TCP:PORT_22603
"53868:TCP"= 53868:TCP:PORT_53868
"23586:TCP"= 23586:TCP:PORT_23586
"53833:TCP"= 53833:TCP:PORT_53833
"34429:TCP"= 34429:TCP:PORT_34429
"15513:TCP"= 15513:TCP:PORT_15513
"11147:TCP"= 11147:TCP:PORT_11147
"64908:TCP"= 64908:TCP:PORT_64908
"20326:TCP"= 20326:TCP:PORT_20326
"42390:TCP"= 42390:TCP:PORT_42390
"20951:TCP"= 20951:TCP:PORT_20951
"50181:TCP"= 50181:TCP:PORT_50181
"31110:TCP"= 31110:TCP:PORT_31110
"17325:TCP"= 17325:TCP:PORT_17325
"11725:TCP"= 11725:TCP:PORT_11725
"47876:TCP"= 47876:TCP:PORT_47876
"42527:TCP"= 42527:TCP:PORT_42527
"29130:TCP"= 29130:TCP:PORT_29130
"53900:TCP"= 53900:TCP:PORT_53900
"27606:TCP"= 27606:TCP:PORT_27606
"29133:TCP"= 29133:TCP:PORT_29133
"27444:TCP"= 27444:TCP:PORT_27444
"19463:TCP"= 19463:TCP:PORT_19463
"34583:TCP"= 34583:TCP:PORT_34583
"32266:TCP"= 32266:TCP:PORT_32266
"35400:TCP"= 35400:TCP:PORT_35400
"33911:TCP"= 33911:TCP:PORT_33911
"21531:TCP"= 21531:TCP:PORT_21531
"5372:TCP"= 5372:TCP:PORT_5372
"64020:TCP"= 64020:TCP:PORT_64020
"10808:TCP"= 10808:TCP:PORT_10808
"43099:TCP"= 43099:TCP:PORT_43099
"9034:TCP"= 9034:TCP:PORT_9034
"59227:TCP"= 59227:TCP:PORT_59227
"10768:TCP"= 10768:TCP:PORT_10768
"56750:TCP"= 56750:TCP:PORT_56750
"54595:TCP"= 54595:TCP:PORT_54595
"19904:TCP"= 19904:TCP:PORT_19904
"43088:TCP"= 43088:TCP:PORT_43088
"51841:TCP"= 51841:TCP:PORT_51841
"36938:TCP"= 36938:TCP:PORT_36938
"15350:TCP"= 15350:TCP:PORT_15350
"45964:TCP"= 45964:TCP:PORT_45964
"58766:TCP"= 58766:TCP:PORT_58766
"18436:TCP"= 18436:TCP:PORT_18436
"60396:TCP"= 60396:TCP:PORT_60396
"33551:TCP"= 33551:TCP:PORT_33551
"64963:TCP"= 64963:TCP:PORT_64963
"41789:TCP"= 41789:TCP:PORT_41789
"11515:TCP"= 11515:TCP:PORT_11515
"46755:TCP"= 46755:TCP:PORT_46755
"14824:TCP"= 14824:TCP:PORT_14824
"28135:TCP"= 28135:TCP:PORT_28135
"37388:TCP"= 37388:TCP:PORT_37388
"18590:TCP"= 18590:TCP:PORT_18590
"15271:TCP"= 15271:TCP:PORT_15271
"7781:TCP"= 7781:TCP:PORT_7781
"54201:TCP"= 54201:TCP:PORT_54201
"12010:TCP"= 12010:TCP:PORT_12010
"20015:TCP"= 20015:TCP:PORT_20015
"25509:TCP"= 25509:TCP:PORT_25509
"37895:TCP"= 37895:TCP:PORT_37895
"12285:TCP"= 12285:TCP:PORT_12285
"45651:TCP"= 45651:TCP:PORT_45651
"62266:TCP"= 62266:TCP:PORT_62266
"47919:TCP"= 47919:TCP:PORT_47919
"31828:TCP"= 31828:TCP:PORT_31828
"54610:TCP"= 54610:TCP:PORT_54610
"50707:TCP"= 50707:TCP:PORT_50707
"21698:TCP"= 21698:TCP:PORT_21698
"16100:TCP"= 16100:TCP:PORT_16100
"5880:TCP"= 5880:TCP:PORT_5880
"50815:TCP"= 50815:TCP:PORT_50815
"64985:TCP"= 64985:TCP:PORT_64985
"33040:TCP"= 33040:TCP:PORT_33040
"29614:TCP"= 29614:TCP:PORT_29614
"46013:TCP"= 46013:TCP:PORT_46013
"24476:TCP"= 24476:TCP:PORT_24476
"13780:TCP"= 13780:TCP:PORT_13780
"20918:TCP"= 20918:TCP:PORT_20918
"50427:TCP"= 50427:TCP:PORT_50427
"28356:TCP"= 28356:TCP:PORT_28356
"26622:TCP"= 26622:TCP:PORT_26622
"54525:TCP"= 54525:TCP:PORT_54525
"47710:TCP"= 47710:TCP:PORT_47710
"56068:TCP"= 56068:TCP:PORT_56068
"23905:TCP"= 23905:TCP:PORT_23905
"12731:TCP"= 12731:TCP:PORT_12731
"30310:TCP"= 30310:TCP:PORT_30310
"33154:TCP"= 33154:TCP:PORT_33154
"46009:TCP"= 46009:TCP:PORT_46009
"35706:TCP"= 35706:TCP:PORT_35706
"36594:TCP"= 36594:TCP:PORT_36594
"21036:TCP"= 21036:TCP:PORT_21036
"45868:TCP"= 45868:TCP:PORT_45868
"30856:TCP"= 30856:TCP:PORT_30856
"39403:TCP"= 39403:TCP:PORT_39403
"27560:TCP"= 27560:TCP:PORT_27560
"61391:TCP"= 61391:TCP:PORT_61391
"63946:TCP"= 63946:TCP:PORT_63946
"46328:TCP"= 46328:TCP:PORT_46328
"54037:TCP"= 54037:TCP:PORT_54037
"55395:TCP"= 55395:TCP:PORT_55395
"52704:TCP"= 52704:TCP:PORT_52704
"42431:TCP"= 42431:TCP:PORT_42431
"49648:TCP"= 49648:TCP:PORT_49648
"9208:TCP"= 9208:TCP:PORT_9208
"56666:TCP"= 56666:TCP:PORT_56666
"11370:TCP"= 11370:TCP:PORT_11370
"47701:TCP"= 47701:TCP:PORT_47701
"23685:TCP"= 23685:TCP:PORT_23685
"62514:TCP"= 62514:TCP:PORT_62514
"29661:TCP"= 29661:TCP:PORT_29661
"40165:TCP"= 40165:TCP:PORT_40165
"42196:TCP"= 42196:TCP:PORT_42196
"60316:TCP"= 60316:TCP:PORT_60316
"10325:TCP"= 10325:TCP:PORT_10325
"54266:TCP"= 54266:TCP:PORT_54266
"33301:TCP"= 33301:TCP:PORT_33301
"26090:TCP"= 26090:TCP:PORT_26090
"63004:TCP"= 63004:TCP:PORT_63004
"28138:TCP"= 28138:TCP:PORT_28138
"12004:TCP"= 12004:TCP:PORT_12004
"39082:TCP"= 39082:TCP:PORT_39082
"57395:TCP"= 57395:TCP:PORT_57395
"52680:TCP"= 52680:TCP:PORT_52680
"13430:TCP"= 13430:TCP:PORT_13430
"54295:TCP"= 54295:TCP:PORT_54295
"52621:TCP"= 52621:TCP:PORT_52621
"19431:TCP"= 19431:TCP:PORT_19431
"31969:TCP"= 31969:TCP:PORT_31969
"52578:TCP"= 52578:TCP:PORT_52578
"42630:TCP"= 42630:TCP:PORT_42630
"9482:TCP"= 9482:TCP:PORT_9482
"6938:TCP"= 6938:TCP:PORT_6938
"42056:TCP"= 42056:TCP:PORT_42056
"27540:TCP"= 27540:TCP:PORT_27540
"12516:TCP"= 12516:TCP:PORT_12516
"49340:TCP"= 49340:TCP:PORT_49340
"29087:TCP"= 29087:TCP:PORT_29087
"44063:TCP"= 44063:TCP:PORT_44063
"43341:TCP"= 43341:TCP:PORT_43341
"13783:TCP"= 13783:TCP:PORT_13783
"5406:TCP"= 5406:TCP:PORT_5406
"19153:TCP"= 19153:TCP:PORT_19153
"24297:TCP"= 24297:TCP:PORT_24297
"50331:TCP"= 50331:TCP:PORT_50331
"54498:TCP"= 54498:TCP:PORT_54498
"57516:TCP"= 57516:TCP:PORT_57516
"18489:TCP"= 18489:TCP:PORT_18489
"11193:TCP"= 11193:TCP:PORT_11193
"37794:TCP"= 37794:TCP:PORT_37794
"25485:TCP"= 25485:TCP:PORT_25485
"57066:TCP"= 57066:TCP:PORT_57066
"31092:TCP"= 31092:TCP:PORT_31092
"27621:TCP"= 27621:TCP:PORT_27621
"22051:TCP"= 22051:TCP:PORT_22051
"49160:TCP"= 49160:TCP:PORT_49160
"56000:TCP"= 56000:TCP:PORT_56000
"43926:TCP"= 43926:TCP:PORT_43926
"35582:TCP"= 35582:TCP:PORT_35582
"39787:TCP"= 39787:TCP:PORT_39787
"64891:TCP"= 64891:TCP:PORT_64891
"16316:TCP"= 16316:TCP:PORT_16316
"18362:TCP"= 18362:TCP:PORT_18362
"41036:TCP"= 41036:TCP:PORT_41036
"6458:TCP"= 6458:TCP:PORT_6458
"34953:TCP"= 34953:TCP:PORT_34953
"59957:TCP"= 59957:TCP:PORT_59957
"58388:TCP"= 58388:TCP:PORT_58388
"38151:TCP"= 38151:TCP:PORT_38151
"33700:TCP"= 33700:TCP:PORT_33700
"48688:TCP"= 48688:TCP:PORT_48688
"45293:TCP"= 45293:TCP:PORT_45293
"6828:TCP"= 6828:TCP:PORT_6828
"16641:TCP"= 16641:TCP:PORT_16641
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 8:56 PM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 7:34 AM 115952]
S4 Windows Packet Sender;Windows Packet Sender;c:\documents and settings\Charles\Application Data\Userinit.exe srv --> c:\documents and settings\Charles\Application Data\Userinit.exe srv [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - BEEP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-05-31 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 19:28]
2009-05-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2009-05-31 c:\windows\Tasks\User_Feed_Synchronization-{FD0FBCD3-6693-46EC-B6E0-663F3AC77280}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://middlegeorgia.cox.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: taxactonline.com\www
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 17:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-05-31 17:40
ComboFix-quarantined-files.txt 2009-05-31 21:40
ComboFix2.txt 2009-05-31 14:44
Pre-Run: 3,651,055,616 bytes free
Post-Run: 3,746,197,504 bytes free
354 --- E O F --- 2009-05-21 19:23
I then opened HiJackThis and ran a System Scan Only, checked the boxes directed and clicked "Fix Checked". I then downloaded and ran ATF Cleaner, ran it, and downloaded and ran the Malwarebytes Anti-Malware program. Here's the log for MBAM:
Malwarebytes' Anti-Malware 1.37
Database version: 2203
Windows 5.1.2600 Service Pack 3
5/31/2009 7:37:58 PM
mbam-log-2009-05-31 (19-37-58).txt
Scan type: Full Scan (C:\|)
Objects scanned: 251733
Time elapsed: 1 hour(s), 38 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\program files\quicktime alternative\QuickTimePlayer.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\TDSSqxgx.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
Lastly, I ran HiJackThis and here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:13 PM, on 5/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Adobe Reader\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\yProxy\yProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://middlegeorgia.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SpyBot\SDHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe Reader\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Charles\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: yProxy.lnk = C:\Program Files\yProxy\yProxy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SpyBot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SpyBot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228585501687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228585480796
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9086 bytes
I have NOT run Spybot S&D to see if it's still detecting Virtumonde.sci. I didn't see that in the MBAM scan either.
Thanks and waiting for further instructions.
dwv306
Phil,
Forgot to answer your last question... "How is your computer running now?"
As far as I can tell, it is running normally. Have NOT noticed any glitches, or slowness.
pskelley
2009-06-01, 16:00
Thanks for the feedback, update and immunize Spybot S&D and scan the system, if it finds anything, post the results.
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html
check for updates, run a scan, fix any problems then:
on the toolbar menu select mode and switch to advanced, on the left select tools, view report, make sure all the options are selected near the bottom except:
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select near top-- view report, Press export, and save the log on your Desktop, post the saved log in your next reply.
Thanks:)
Phil,
Here's the log of my latest Spybot S&D scan:
--- Search result list ---
Congratulations!: No immediate threats were found. (Status)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-14 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-05-26 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-05-26 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-05-26 Includes\HijackersC.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-05-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-12 Includes\Malware.sbi (*)
2009-05-26 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-26 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-05-26 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-26 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-05-12 Includes\Trojans.sbi (*)
2009-05-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB928090)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB931768)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB933566)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB937143)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB958215)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB960714)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Hotfix for Windows XP (KB915800-v4)
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958690)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Update for Windows XP (KB967715)
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe Reader\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe Reader\Reader\Reader_sl.exe
size: 35696
MD5: 452FA961163EF4AEE4815796A13AB2CF
Located: HK_LM:Run, ATIPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 339968
MD5: ACC7B414EF1ABEA6AA654B74CC9A90CF
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 53408
MD5: F8E083AD7ED601B71C84AEC35BE6AE40
Located: HK_LM:Run, dla
command: C:\WINDOWS\system32\dla\tfswctrl.exe
file: C:\WINDOWS\system32\dla\tfswctrl.exe
size: 122939
MD5: 790490F273B0E3BCF05DC3C308ABCC0B
Located: HK_LM:Run, DVDLauncher
command: "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
file: C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
size: 57344
MD5: 7E5FC860ECBD3FE4D0BF7E1814A37B56
Located: HK_LM:Run, Flashget
command: C:\Program Files\FlashGet\flashget.exe /min
file: C:\Program Files\FlashGet\flashget.exe
size: 2007088
MD5: CA19FCDF31B68ABCA046AC091143CE6B
Located: HK_LM:Run, hpbdfawep
command: C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
file: C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
size: 954368
MD5: E98CFB0C92E3A8E5C6F530D28D3DBD80
Located: HK_LM:Run, IAAnotif
command: "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
file: C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
size: 151552
MD5: D2CA35A3F711E613D9399845CE9302FA
Located: HK_LM:Run, MaxMenuMgr
command: "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
file: C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
size: 181544
MD5: F5081AECFD6B7BE1D8B94632BF91D4AB
Located: HK_LM:Run, mmtask
command: c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
file: c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
size: 53248
MD5: 663D599A6F62A8AE15B1A9D3E7D75DC0
Located: HK_LM:Run, PCMService
command: "C:\Program Files\Dell\Media Experience\PCMService.exe"
file: C:\Program Files\Dell\Media Experience\PCMService.exe
size: 335970
MD5: B0187BAA2D8D781E5EC97EF259D8D7D9
Located: HK_LM:Run, SoundMAXPnP
command: C:\Program Files\Analog Devices\Core\smax4pnp.exe
file: C:\Program Files\Analog Devices\Core\smax4pnp.exe
size: 1404928
MD5: 10247C15D999CC116C87DA36BD0AD64D
Located: HK_LM:Run, StrgSync.exe
command: C:\Program Files\StorageSync\StrgSync.exe -w
file: C:\Program Files\StorageSync\StrgSync.exe
size: 3032576
MD5: 58126578FC176932BBBDA4466E0375DE
Located: HK_LM:Run, UpdateManager
command: "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
file: C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
size: 110592
MD5: 52B80C30225DE81D7AC989DFE7311877
Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\VPTray.exe
file: C:\PROGRA~1\SYMANT~1\VPTray.exe
size: 124656
MD5: EB4CAF48452A80C11BC513C35E586C8B
Located: HK_CU:Run, cdloader
where: S-1-5-21-790525478-706699826-682003330-1004...
command: "C:\Documents and Settings\Charles\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
file: C:\Documents and Settings\Charles\Application Data\mjusbsp\cdloader2.exe
size: 50520
MD5: 7B1CAB26FF0EE8A66BC32B44CAF4EE34
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-790525478-706699826-682003330-1004...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, RegistryMechanic
where: S-1-5-21-790525478-706699826-682003330-1004...
command: C:\Program Files\Registry Mechanic\RegMech.exe /H
file: C:\Program Files\Registry Mechanic\RegMech.exe
size: 2828184
MD5: E0E44ACCB08AEABE948CF02D5BD8EFA1
Located: Startup (common), Windows Search.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
file: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
size: 123904
MD5: B5C9F63C01FCFEC3F64EC6A0940A1825
Located: Startup (common), yProxy.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\yProxy\yProxy.exe
file: C:\Program Files\yProxy\yProxy.exe
size: 675328
MD5: 5A57FA9814B2A8F0B6F17E8DD16EFC55
Located: Startup (user), ERUNT AutoBackup.lnk
where: C:\Documents and Settings\Charles\Start Menu\Programs\Startup...
command: C:\Program Files\ERUNT\AUTOBACK.EXE
file: C:\Program Files\ERUNT\AUTOBACK.EXE
size: 38912
MD5: E00DE20F0F6BED5CD2160247DDC9443B
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, NavLogon
command: C:\WINDOWS\system32\NavLogon.dll
file: C:\WINDOWS\system32\NavLogon.dll
size: 43760
MD5: FC2176B0E5CCBE7035F603FC7E31422D
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 2/27/2009 12:07:26 PM
Date (last access): 6/1/2009 7:02:14 PM
Date (last write): 2/27/2009 12:07:26 PM
Filesize: 75128
Attributes: archive
MD5: 5CF6190CD875DA6B35256FEE573E7908
CRC32: 764BA81B
Version: 9.1.0.163
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (flashget urlcatch)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: flashget urlcatch
CLSID name: FGCatchUrl
Path: C:\Program Files\FlashGet\
Long name: jccatch.dll
Short name:
Date (created): 8/6/2007 5:11:58 AM
Date (last access): 6/1/2009 6:54:18 PM
Date (last write): 8/6/2007 5:11:58 AM
Filesize: 94308
Attributes: archive
MD5: F75511A4E8C213D088BA7E53BA0CC4DA
CRC32: FABB6089
Version: 1.8.4.1007
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SpyBot\
Long name: SDHelper.dll
Short name:
Date (created): 10/2/2008 6:08:16 PM
Date (last access): 6/1/2009 7:16:44 PM
Date (last write): 1/26/2009 4:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14
{F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: FlashGet GetFlash Class
Path: C:\Program Files\FlashGet\
Long name: getflash.dll
Short name:
Date (created): 5/18/2007 12:13:10 PM
Date (last access): 6/1/2009 7:00:26 PM
Date (last write): 5/18/2007 12:13:10 PM
Filesize: 163840
Attributes: archive
MD5: 42CB9A71788338483537F36A00318D00
CRC32: AC7D29D0
Version: 1.8.4.1003
--- ActiveX list ---
{01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class)
DPF name:
CLSID name: Support.com Configuration Class
Installer: C:\WINDOWS\Downloaded Program Files\tgctlcm.inf
Codebase: http://support.cox.com/sdccommon/download/tgctlcm.cab
description:
classification: Legitimate
known filename: tgctlcm.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: tgctlcm.dll
Short name:
Date (created): 9/13/2004 3:02:56 AM
Date (last access): 6/1/2009 6:36:36 PM
Date (last write): 9/13/2004 3:02:56 AM
Filesize: 204800
Attributes: archive
MD5: 87E0589A904B2E1CE2BBA779A77D4846
CRC32: 2229519C
Version: 6.5.627.0
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime Alternative\QTSystem\
Long name: QTPlugin.ocx
Short name:
Date (created): 1/1/2006 5:17:46 PM
Date (last access): 6/1/2009 6:36:36 PM
Date (last write): 11/10/2005 11:48:10 PM
Filesize: 409600
Attributes: archive
MD5: D2B462A22F89C8A74B02EDDA130AF616
CRC32: 99C4835D
Version: 7.0.3.50
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer:
Codebase: http://active.macromedia.com/director/cabs/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 7/23/2006 9:36:22 AM
Date (last access): 6/1/2009 6:36:36 PM
Date (last write): 9/4/2006 12:10:30 AM
Filesize: 54960
Attributes: archive
MD5: EB271B21EA6104B7C6946EF32D558C91
CRC32: CEC4E0C2
Version: 10.1.4.20
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.dll
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 6:04:22 PM
Date (last access): 6/1/2009 6:53:16 PM
Date (last write): 3/20/2008 6:06:36 PM
Filesize: 1480232
Attributes: archive
MD5: E058C4821D48E0A67F6069CB50818D44
CRC32: 3513AE02
Version: 1.7.69.2
{1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object)
DPF name:
CLSID name: CNavigationManager Object
Installer:
Codebase: http://www3.authentium.com/cssrelease/bin/wizard.exe
description:
classification: Open for discussion
known filename: WEBWIZ.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Common Files\Authentium Shared\Core\
Long name: webwiz.dll
Short name:
Date (created): 1/24/2008 8:04:28 PM
Date (last access): 6/1/2009 6:36:36 PM
Date (last write): 6/8/2007 7:36:50 PM
Filesize: 135168
Attributes: archive
MD5: 4DE6C7FB90A7E6B6BF7740DA944FBA40
CRC32: 25C5F968
Version: 3.0.0.2
{233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer:
Codebase: http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
description:
classification: Legitimate
known filename: SwDir.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 7/23/2006 9:36:22 AM
Date (last access): 6/1/2009 6:36:36 PM
Date (last write): 9/4/2006 12:10:30 AM
Filesize: 54960
Attributes: archive
MD5: EB271B21EA6104B7C6946EF32D558C91
CRC32: CEC4E0C2
Version: 10.1.4.20
{31435657-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf
Codebase: http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
{5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module)
DPF name:
CLSID name: Windows Live Safety Center Base Module
Installer: C:\WINDOWS\Downloaded Program Files\wlscBase.inf
Codebase: http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
description:
classification: Legitimate
known filename: wlscBase.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: wlscBase.dll
Short name:
Date (created): 3/16/2009 2:01:08 PM
Date (last access): 6/1/2009 6:15:54 PM
Date (last write): 3/16/2009 2:01:08 PM
Filesize: 452488
Attributes: archive
MD5: F9852CBC0E06660768DBB1E6FE9B1896
CRC32: 90361551
Version: 1.10.5483.1
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228585501687
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 6/28/2005 6:03:28 PM
Date (last access): 6/1/2009 6:18:08 PM
Date (last write): 10/16/2008 3:12:24 PM
Filesize: 202776
Attributes: archive
MD5: 0006DE8037F5A562F96B461B3C557C3C
CRC32: 9B107DED
Version: 7.2.6001.788
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228585480796
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 6/1/2009 6:18:04 PM
Date (last write): 10/16/2008 3:07:48 PM
Filesize: 208744
Attributes: archive
MD5: 90058C2AD9FC43A3B3D59F82FFC6AEA7
CRC32: 7D5F90FA
Version: 7.2.6001.788
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} ()
DPF name:
CLSID name:
Installer:
Codebase:
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash10b.ocx
Short name:
Date (created): 2/2/2009 10:07:18 PM
Date (last access): 6/1/2009 6:06:02 PM
Date (last write): 2/2/2009 10:07:18 PM
Filesize: 3866528
Attributes: readonly archive
MD5: 8AFC17155ED5AB60B7C52D7F553D579C
CRC32: 0FBC13F3
Version: 10.0.22.87
{E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control)
DPF name:
CLSID name: Dell PC Checkup Installer Control
Installer: C:\WINDOWS\Downloaded Program Files\gtdownde_110.inf
Codebase: http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
description:
classification: Legitimate
known filename: GTDownDE_87.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: gtdownde_110.ocx
Short name: GTDOWN~1.OCX
Date (created): 11/25/2004 3:15:00 PM
Date (last access): 6/1/2009 6:36:36 PM
Date (last write): 11/25/2004 3:15:00 PM
Filesize: 184320
Attributes: archive
MD5: D05E2AB470D3C1A88635A54A14FE5D76
CRC32: 1B7FFDAE
Version: 1.0.0.110
--- Process list ---
PID: 0 ( 0) [System]
PID: 424 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 640 ( 424) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 664 ( 424) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 712 ( 664) C:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 724 ( 664) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 940 ( 712) C:\WINDOWS\system32\Ati2evxx.exe
size: 389120
MD5: 4DEAA162480367B232F3EE3A6D34084B
PID: 956 ( 712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1032 ( 712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1124 ( 712) C:\Program Files\Windows Defender\MsMpEng.exe
size: 13592
MD5: F45DD1E1365D857DD08BC23563370D0E
PID: 1220 ( 712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1268 ( 712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1344 ( 712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1456 ( 712) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
size: 169632
MD5: 324318BD026AA58E3EA8C23647ADE1C3
PID: 1500 ( 712) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
size: 192160
MD5: C5F0C1FFF968E9D143F62075CBD8ED60
PID: 1576 ( 712) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
size: 1160848
MD5: DABD8523D9B60CE6513653DFD8B96C1B
PID: 1624 ( 712) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1736 ( 712) C:\Program Files\Symantec AntiVirus\DefWatch.exe
size: 30448
MD5: 6A0A8FE766943DE793E6F03F4FE882DD
PID: 1792 ( 712) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
size: 156968
MD5: C0504D5561D4E3872BCBA47531E2763B
PID: 1968 ( 712) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
size: 81920
MD5: 0BCEE844A02747DD7F1E30352E619F2E
PID: 580 ( 712) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
size: 1799408
MD5: 8B3550214824ABF244D1E27E2A300990
PID: 1308 ( 712) C:\WINDOWS\system32\SearchIndexer.exe
size: 439808
MD5: 7778BDFA3F6F6FBA0E75B9594098F737
PID: 1988 ( 712) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 2440 ( 956) C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
size: 73728
MD5: 9F21FB79005F196DB0D522F2FEF0A067
PID: 3008 (2932) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 3376 (3008) C:\Program Files\StorageSync\StrgSync.exe
size: 3032576
MD5: 58126578FC176932BBBDA4466E0375DE
PID: 3384 (3008) C:\Program Files\Analog Devices\Core\smax4pnp.exe
size: 1404928
MD5: 10247C15D999CC116C87DA36BD0AD64D
PID: 3392 (3008) C:\Program Files\Dell\Media Experience\PCMService.exe
size: 335970
MD5: B0187BAA2D8D781E5EC97EF259D8D7D9
PID: 3400 (3008) C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
size: 53248
MD5: 663D599A6F62A8AE15B1A9D3E7D75DC0
PID: 3420 (3008) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
size: 151552
MD5: D2CA35A3F711E613D9399845CE9302FA
PID: 3452 (3008) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 53408
MD5: F8E083AD7ED601B71C84AEC35BE6AE40
PID: 3460 (3008) C:\PROGRA~1\SYMANT~1\VPTray.exe
size: 124656
MD5: EB4CAF48452A80C11BC513C35E586C8B
PID: 3468 (3008) C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
size: 57344
MD5: 7E5FC860ECBD3FE4D0BF7E1814A37B56
PID: 3476 (3008) C:\WINDOWS\system32\dla\tfswctrl.exe
size: 122939
MD5: 790490F273B0E3BCF05DC3C308ABCC0B
PID: 3528 (3008) C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
size: 181544
MD5: F5081AECFD6B7BE1D8B94632BF91D4AB
PID: 3648 (3008) C:\Program Files\FlashGet\flashget.exe
size: 2007088
MD5: CA19FCDF31B68ABCA046AC091143CE6B
PID: 3656 (3008) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 3740 (3008) C:\Program Files\Registry Mechanic\RegMech.exe
size: 2828184
MD5: E0E44ACCB08AEABE948CF02D5BD8EFA1
PID: 3784 (3008) C:\Program Files\Windows Desktop Search\WindowsSearch.exe
size: 123904
MD5: B5C9F63C01FCFEC3F64EC6A0940A1825
PID: 3816 (3008) C:\Program Files\yProxy\yProxy.exe
size: 675328
MD5: 5A57FA9814B2A8F0B6F17E8DD16EFC55
PID: 2308 (2224) C:\Documents and Settings\Charles\Application Data\mjusbsp\magicJack.exe
size: 11806040
MD5: DD432B4A4AB7CD1162AD7BA1A0CF03A1
PID: 3296 (3008) C:\Program Files\SpyBot\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 2924 (1308) C:\WINDOWS\system32\SearchProtocolHost.exe
size: 184832
MD5: C4894B3B448B647BEDC9E916D181BDBE
PID: 3060 (1308) C:\WINDOWS\system32\SearchFilterHost.exe
size: 87552
MD5: 87889A983C015080FA813D7E32910D1E
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 6/1/2009 7:17:19 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://middlegeorgia.cox.net/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A61D65C0-AA9A-40E0-8FA5-FC5391887D92}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A61D65C0-AA9A-40E0-8FA5-FC5391887D92}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3563E2A-56B6-41F1-A81A-0999C2994355}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3563E2A-56B6-41F1-A81A-0999C2994355}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{53B63DAB-7EA0-41ED-8EAA-692975F61962}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{53B63DAB-7EA0-41ED-8EAA-692975F61962}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{851BAAF4-7108-4846-8F90-2EFA4C2F3E21}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{851BAAF4-7108-4846-8F90-2EFA4C2F3E21}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E3BBEAE6-0A7C-49E4-B967-D0893ABF81FC}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E3BBEAE6-0A7C-49E4-B967-D0893ABF81FC}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Seems like the Virtumonde.sci is gone.
dwv306
pskelley
2009-06-02, 02:38
Looks good:bigthumb: before wetry to wrap up, I want to mention that the combofix log shows a load of open ports. They may be valid, but I think you should check to find out. Here are tools to help do this.
https://www.grc.com/x/ne.dll?bh0bkyd2 <<< good site
http://www.google.com/search?hl=en&q=scan+for+open+ports&aq=f&oq=&aqi=g10
A look at the running processes tell me this information will help you help your computer run better.
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.bleepingcomputer.com/forums/index.php?showtopic=87058&st=0&p=487112&#entry487112
http://www.microsoft.com/atwork/getstarted/speed.mspx
Let's see if we can wrap up link this.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)
Update Symantec AntiVirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
Phil,
I checked the open ports and got the following report:
----------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2009-06-01 at 23:50:42
Results from scan of ports: 0-1055
0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested
ALL PORTS tested were found to be: STEALTH.
TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.
----------------------------------------------------------------------
I then uninstalled Combofix, turned off system restore, rebooted, and turned system restore back on. I then scanned my system with MBAM and Symantec AntiVirus and both found NO infected files. I think that all is OK, but I do have one final question.
I noticed that when I open or close my email program, Outlook Express, I get the following message:
"To free up disk space, Outlook Express can compact messages. This may take a few minutes."
This message also pops up periodically on screen without any prompts. Wondering if this is caused by an option with the program that I've selected (turned on), or by a scanning program associated with email (Symantec AntiVirus), or something else. This message did not always "pop up" when I installed the program several years ago, but is more frequent now. Any ideas?
Thanks again for your time and all of your help!
dwv306
pskelley
2009-06-02, 14:05
Thanks for the feedback, looks like your ports are in good shape. I do not use OE and have not for years preferring Hotmail but I found information you can review at Google:
http://www.google.com/search?hl=en&q=To+free+up+disk+space%2C+Outlook+Express+can+compact+messages.+This+may+take+a+few+minutes&btnG=Search&aq=f&oq=&aqi=
My guess is that it is auto-generated, is there a box where you can check to say "don't show me this message anymore"
Hope that helps...Phil