PDA

View Full Version : Browser is openiong a new window...



xyz1010
2009-11-18, 20:32
Hi,

Recently Symantec on my computer has detected and deleted file that attempted to install SpywareProtect2009. However, since then my browsers (opera and explorer) are randomly trying to open not existing link:

"Cannot find 'http:/$#%20...", etc.

Since the link is "broken" my screen is ending up with dozens on new windows (for explorer), or tags (for opera). Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:54 PM, on 11/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Novell\XTAgent.exe
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\rpcnet.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\wbem\wmiapsrv.exe
C:\WINNT\system32\wbem\wmiprvse.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINNT\snuvcdsm.exe
C:\WINNT\system32\AccelerometerSt.Exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\NYSE Internet Settings\SmartIE.exe
C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Compare & Backup\Everyday Auto Backup\AutoBackup.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Arsenal Company\Socrat Personal\Scpers32.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Checkpoint\Integrity Client\IClient.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.1.2.200808010926\win32\x86\eclipse.exe
C:\Program Files\lotus\notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20090219c-200906101703\jre\bin\notes2w.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\SAS\SASFoundation\9.2\sas.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe
C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_GUI.Exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Aqua Data Studio 6.5\jre\bin\java.exe
C:\PROGRA~1\SAS\ENTERP~1\4.2\SEGUIDE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myexchange.nyx.com/nyx.nsf/home/welcome?open&s=48649876
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.corp.nyse.com/pac/webproxy.pac
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [snuvcdsm] C:\WINNT\snuvcdsm.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINNT\system32\AccelerometerSt.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\system32\zentray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SMARTIESettings] C:\Program Files\NYSE Internet Settings\SmartIE.exe
O4 - HKLM\..\Run: [Check Point Endpoint Tray Application] C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Everyday Auto Backup] C:\Program Files\Compare & Backup\Everyday Auto Backup\AutoBackup.exe /1
O4 - .DEFAULT User Startup: CurrentUser.cmd (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Socrat Personal v. 3.0.3.lnk = C:\Program Files\Arsenal Company\Socrat Personal\Scpers32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.nyse.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://reg.e.nyse.com/NWDir.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.nyx.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.nyx.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.nyx.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.nyse.com,nyse.com,siac.com,Tradearca.com,Corp.pacificex.net,Trading.pacificex.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.nyx.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.nyse.com,nyse.com,siac.com,Tradearca.com,Corp.pacificex.net,Trading.pacificex.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.nyse.com,nyse.com,siac.com,Tradearca.com,Corp.pacificex.net,Trading.pacificex.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: AMINIT.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINNT\system32\rpcnet.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINNT\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 15089 bytes

Shaba
2009-11-22, 18:43
Hi xyz1010

Is this a personal computer?

xyz1010
2009-11-23, 15:13
Yes, however I heavily using it to work from home, therefore I have a bunch of VPN and other applications "prescribed" by my company.

Shaba
2009-11-23, 21:38
So is it under IT support or not?

xyz1010
2009-11-23, 23:32
Definetly not...

Shaba
2009-11-24, 11:41
ownload gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Run Gmer again and click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..

xyz1010
2009-11-24, 17:19
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-24 10:18:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MaslaveN\LOCALS~1\Temp\awnoakow.sys


---- System - GMER 1.0.15 ----

SSDT 89A8A860 ZwAlertResumeThread
SSDT 89AC4428 ZwAlertThread
SSDT 89A89E08 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA4FB7B60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA4FB4960]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA4FC1710]
SSDT 89930A40 ZwCreateMutant
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA4FB8120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xA4FBEF30]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xA4FBF140]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xA4FC2E90]
SSDT 89AD51D8 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA4FB8210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA4FB4EF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA4FC1F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA4FC1D40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xA4FBE8B0]
SSDT 89933E08 ZwFreeVirtualMemory
SSDT 89945448 ZwImpersonateAnonymousToken
SSDT 8992B9B8 ZwImpersonateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA4FC2140]
SSDT 89AA0308 ZwMapViewOfSection
SSDT 89915D48 ZwOpenEvent
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA4FB4D50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xA4FC07A0]
SSDT 89987AF0 ZwOpenProcessToken
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xA4FC0560]
SSDT 89A81AD8 ZwOpenThreadToken
SSDT \??\C:\WINNT\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB7308840]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA4FC2B00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA4FC2560]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA4FB7780]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA4FC2950]
SSDT 8991F588 ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xA4FB7D30]
SSDT 89920AF0 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA4FB5120]
SSDT 8682AA98 ZwSetInformationProcess
SSDT 8994A3B0 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA4FC1A80]
SSDT 8991C280 ZwSuspendProcess
SSDT 89A83AF0 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xA4FBF830]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xA4FBF6B0]
SSDT 89ADA1A8 ZwTerminateThread
SSDT 8991FAF0 ZwUnmapViewOfSection
SSDT 89AA4E08 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [20, 81, FB, A4, 30, EF, FB, ...] {AND [ECX-0x10cf5b05], AL; STI ; MOVSB ; INC EAX; INT1 ; STI ; MOVSB }
.text ntkrnlpa.exe!ZwCallbackReturn + 2CD4 80504570 4 Bytes CALL 4DE6EA70
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [80, C2, 91, 89, F0, 3A, A8, ...] {ADD DL, 0x91; MOV EAX, ESI; CMP CH, [EAX-0x407cf77]; MOVSB }
.rsrc C:\WINNT\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xB9EE902C]
? nwfilter.sys The system cannot find the file specified. !
.text C:\WINNT\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8791000, 0x18A3B6, 0xE8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [A4FBC6C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [A4FBC4D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [A4FBCE00] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [A4FBAA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [A4FBC6C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [A4FBAA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [A4FBCE00] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [A4FBC4D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A4FBCE00] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A4FBC4D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A4FBC6C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A4FBAA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A4FBC6C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A4FBC4D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A4FBCE00] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [A4FBCE00] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [A4FBC4D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [A4FBAA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [A4FBC6C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [A4FBC6C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [A4FBAA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [A4FBCE00] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [A4FBC4D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Altiris\Carbon Copy\shellker.exe[2224] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [1026A679] C:\Program Files\Altiris\Carbon Copy\cdwsock.dll (Carbon Copy 32 Winsock Library/Altiris)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[2756] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe[4068] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5AE90] C:\WINNT\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe[4068] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5AE90] C:\WINNT\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe[4068] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54150] C:\WINNT\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe[4068] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A549A0] C:\WINNT\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe[4068] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54960] C:\WINNT\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe[4068] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5AE90] C:\WINNT\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe[4068] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A528E0] C:\WINNT\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\00001478 -> \Driver\iaStor \Device\Harddisk0\DR0 8A53550C

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{04CA4F70-3145-486F-90A1-32AB5F42E745}\RP24\A0002068.exe:BAK 22528 bytes executable
ADS C:\System Volume Information\_restore{04CA4F70-3145-486F-90A1-32AB5F42E745}\RP24\A0002125.exe:BAK 23040 bytes executable
File C:\WINNT\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Shaba
2009-11-24, 21:10
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

xyz1010
2009-11-24, 23:08
Please see the attached files

Shaba
2009-11-25, 08:49
Please copy/paste those files to your next replies :)

xyz1010
2009-11-25, 16:45
ComboFix 09-11-23.06 - MaslaveN 11/24/2009 15:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1978.1328 [GMT -5:00]
Running from: c:\documents and settings\MaslaveN\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\winnt\system32\drivers\etc\lmhosts
c:\winnt\system32\prsgrc.dll

----- BITS: Possible infected sites -----

hxxp://nysealtiris-sql.corp.nyse.com
Infected copy of c:\winnt\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - c:\winnt\system32\ReinstallBackups\0002\DriverFiles\iaStor.sys

.
((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.

2009-11-24 20:21 . 2001-08-17 17:52 13952 -c--a-w- c:\winnt\system32\dllcache\cbidf2k.sys
2009-11-24 20:21 . 2001-08-17 17:52 13952 ----a-w- c:\winnt\system32\drivers\cbidf2k.sys
2009-11-24 13:07 . 2009-11-24 13:07 -------- d---a-w- c:\program files\Delve-Prod
2009-11-23 19:57 . 2009-11-23 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-23 19:57 . 2009-11-23 19:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 19:55 . 2009-11-23 19:57 16409960 ----a-w- c:\temp\spybotsd162.exe
2009-11-23 12:52 . 2008-04-14 05:15 60032 -c--a-w- c:\winnt\system32\dllcache\usbaudio.sys
2009-11-23 12:52 . 2008-04-14 05:15 60032 ----a-w- c:\winnt\system32\drivers\USBAUDIO.sys
2009-11-22 02:00 . 2009-11-22 02:01 -------- d---a-w- c:\program files\MARS2
2009-11-18 18:10 . 2009-11-18 18:10 -------- d-----w- c:\program files\Trend Micro
2009-11-14 02:27 . 2009-11-14 02:27 -------- d-----w- c:\winnt\Sun
2009-11-13 18:05 . 2009-11-23 18:26 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\skypePM
2009-11-13 18:05 . 2009-11-13 18:05 56 ---ha-w- c:\winnt\system32\ezsidmv.dat
2009-11-13 18:02 . 2009-11-23 18:27 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\Skype
2009-11-13 18:02 . 2009-11-13 18:02 -------- d-----w- c:\program files\Common Files\Skype
2009-11-13 18:02 . 2009-11-13 18:02 -------- d-----r- c:\program files\Skype
2009-11-13 18:02 . 2009-11-13 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-13 17:39 . 2009-11-13 21:30 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\ICAClient
2009-11-13 17:05 . 2009-11-13 17:05 -------- d---a-w- c:\program files\AMSClient
2009-11-11 14:05 . 2009-11-11 14:05 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-11-11 14:05 . 2009-11-11 14:05 -------- d-----w- c:\program files\IObit
2009-11-10 22:20 . 2009-11-10 22:20 -------- d-----w- c:\program files\My Company Name
2009-11-10 16:49 . 2009-11-10 16:49 -------- d-----w- c:\documents and settings\MaslaveN\Local Settings\Application Data\Help
2009-11-10 16:29 . 2009-11-10 16:29 -------- d-----w- c:\documents and settings\MaslaveN\Local Settings\Application Data\Opera
2009-11-09 19:07 . 2009-11-09 19:07 152576 ----a-w- c:\documents and settings\MaslaveN\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-09 17:27 . 2009-11-09 17:27 -------- d-----w- c:\documents and settings\Administrator\.datastudio
2009-11-09 17:22 . 2009-11-09 17:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2009-11-09 17:22 . 2009-11-09 17:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-11-09 14:07 . 2009-11-09 19:08 411368 ----a-w- c:\winnt\system32\deploytk.dll
2009-11-09 14:04 . 2009-11-09 14:04 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\Malwarebytes
2009-11-09 14:03 . 2009-09-10 19:54 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-11-09 14:03 . 2009-11-09 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 14:03 . 2009-11-09 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 14:03 . 2009-09-10 19:53 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-11-07 06:26 . 2009-11-12 15:46 -------- d-----w- C:\R
2009-11-04 20:58 . 2009-11-18 16:14 -------- d-----w- C:\Dimen
2009-10-30 11:49 . 2009-10-30 11:58 -------- d--h--w- c:\winnt\$hf_mig$
2009-10-30 11:47 . 2009-07-17 16:22 1435648 -c----w- c:\winnt\system32\dllcache\query.dll
2009-10-30 11:47 . 2009-09-04 21:03 58880 -c----w- c:\winnt\system32\dllcache\msasn1.dll
2009-10-29 19:44 . 2009-10-29 19:44 -------- d-----w- c:\program files\R
2009-10-29 14:39 . 2009-10-29 14:39 -------- d-----w- c:\documents and settings\MaslaveN\.sqldeveloper
2009-10-29 14:39 . 2009-10-29 14:39 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\WinBatch
2009-10-29 14:39 . 2009-10-29 14:39 -------- d-----w- c:\program files\NYSE iPrint Util
2009-10-27 20:57 . 2001-08-18 02:36 5632 ----a-w- c:\winnt\system32\ptpusb.dll
2009-10-27 20:57 . 2008-04-14 09:42 159232 ----a-w- c:\winnt\system32\ptpusd.dll
2009-10-27 20:57 . 2008-04-14 04:15 15104 -c--a-w- c:\winnt\system32\dllcache\usbscan.sys
2009-10-27 20:57 . 2008-04-14 04:15 15104 ----a-w- c:\winnt\system32\drivers\usbscan.sys
2009-10-27 17:24 . 2009-10-27 17:24 -------- d-----w- c:\program files\Vim
2009-10-26 18:33 . 2009-10-26 18:33 -------- d-----w- c:\documents and settings\MaslaveN\Local Settings\Application Data\Yahoo
2009-10-26 18:33 . 2009-11-10 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-26 18:32 . 2009-10-26 18:32 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\Yahoo!
2009-10-26 18:32 . 2009-11-10 23:53 -------- d-----w- c:\program files\Yahoo!
2009-10-26 11:35 . 2009-10-26 11:35 -------- d-----w- c:\program files\VS Revo Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 20:44 . 2009-10-22 08:58 4212 ---ha-w- c:\winnt\system32\zllictbl.dat
2009-11-24 20:40 . 2009-10-08 20:22 2401 ----a-w- c:\winnt\system32\drivers\AlKernel.sys
2009-11-24 20:40 . 2009-10-23 11:51 17920 ----a-w- c:\winnt\system32\rpcnetp.exe
2009-11-24 20:40 . 2009-10-21 15:07 56680 ----a-w- c:\winnt\system32\rpcnet.dll
2009-11-24 20:14 . 2009-11-24 20:14 3584 --sha-w- c:\program files\Common Files\Thumbs.db
2009-11-24 13:17 . 2009-11-24 13:19 4217856 ----a-w- c:\winnt\Internet Logs\xDB14.tmp
2009-11-24 13:17 . 2009-11-24 13:19 2859008 ----a-w- c:\winnt\Internet Logs\xDB15.tmp
2009-11-24 12:47 . 2009-10-23 21:41 15682742 ----a-w- c:\winnt\Internet Logs\tvDebug.Zip
2009-11-22 02:26 . 2009-10-25 00:23 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2009-11-18 15:26 . 2009-11-18 15:26 177186 ----a-w- c:\winnt\Internet Logs\vsmon_2nd_2009_11_18_10_21_21_small.dmp.zip
2009-11-18 15:21 . 2009-11-18 15:21 3052544 ----a-w- c:\winnt\Internet Logs\xDBD1.tmp
2009-11-16 18:46 . 2009-11-16 18:46 20525124 ----a-w- c:\winnt\Internet Logs\vsmon_on_demand_crt_term_2009_11_16_13_41_31_full.dmp.zip
2009-11-16 18:46 . 2009-11-16 18:46 159730 ----a-w- c:\winnt\Internet Logs\vsmon_2nd_2009_11_16_13_41_29_small.dmp.zip
2009-11-16 18:41 . 2009-11-16 18:41 3031040 ----a-w- c:\winnt\Internet Logs\xDB105.tmp
2009-11-16 15:48 . 2009-11-16 15:48 20501994 ----a-w- c:\winnt\Internet Logs\vsmon_on_demand_crt_term_2009_11_16_10_43_31_full.dmp.zip
2009-11-16 15:48 . 2009-11-16 15:48 158020 ----a-w- c:\winnt\Internet Logs\vsmon_2nd_2009_11_16_10_43_29_small.dmp.zip
2009-11-16 15:43 . 2009-11-16 15:43 3032576 ----a-w- c:\winnt\Internet Logs\xDBC1.tmp
2009-11-14 05:47 . 2009-11-14 15:52 3121152 ----a-w- c:\winnt\Internet Logs\xDB13.tmp
2009-11-14 05:08 . 2009-10-21 15:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-14 05:06 . 2009-10-23 18:26 -------- d-----w- c:\program files\SAS
2009-11-12 21:03 . 2009-11-12 21:03 21008213 ----a-w- c:\winnt\Internet Logs\vsmon_on_demand_crt_term_2009_11_12_15_58_17_full.dmp.zip
2009-11-12 21:03 . 2009-11-12 21:03 153305 ----a-w- c:\winnt\Internet Logs\vsmon_2nd_2009_11_12_15_58_15_small.dmp.zip
2009-11-12 20:58 . 2009-11-12 20:58 3114496 ----a-w- c:\winnt\Internet Logs\xDB17C.tmp
2009-11-10 22:49 . 2009-11-10 23:54 3103744 ----a-w- c:\winnt\Internet Logs\xDB12.tmp
2009-11-10 16:56 . 2009-10-25 01:15 -------- d-----w- c:\program files\Google
2009-11-09 19:16 . 2009-10-23 16:13 -------- d-----w- c:\program files\Aqua Data Studio 6.5
2009-11-09 19:08 . 2009-10-21 15:18 -------- d-----w- c:\program files\Java
2009-11-09 17:22 . 2009-10-22 11:19 40472 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-08 07:25 . 2009-11-09 12:40 14031360 ----a-w- c:\winnt\Internet Logs\xDB11.tmp
2009-11-04 14:39 . 2009-10-23 18:43 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\SAS
2009-11-04 14:39 . 2009-10-23 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SAS
2009-10-26 11:15 . 2009-10-08 20:22 41 ----a-w- C:\AClient.dat
2009-10-25 00:23 . 2009-10-25 00:23 16 ---h--w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\kfbfqnt.dll
2009-10-25 00:23 . 2009-10-25 00:23 158 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\ssprs.dll
2009-10-25 00:23 . 2009-10-25 00:23 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\grcauth2.dll
2009-10-25 00:23 . 2009-10-25 00:23 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\grcauth1.dll
2009-10-25 00:23 . 2009-10-25 00:23 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll
2009-10-25 00:23 . 2009-10-25 00:23 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth1.dll
2009-10-25 00:23 . 2009-10-25 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel
2009-10-25 00:23 . 2009-10-25 00:23 1024 ----a-w- c:\winnt\system32\grcauth2.dll
2009-10-25 00:23 . 2009-10-25 00:23 1024 ----a-w- c:\winnt\system32\grcauth1.dll
2009-10-25 00:22 . 2009-10-25 00:22 -------- d-----w- c:\program files\SPSSInc
2009-10-25 00:22 . 2009-10-21 15:02 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-24 05:46 . 2009-10-24 05:46 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\InterVideo
2009-10-24 03:09 . 2009-10-24 02:50 -------- d-----w- c:\program files\AllerCalc
2009-10-23 22:35 . 2009-10-23 11:53 40472 ----a-w- c:\documents and settings\MaslaveN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 20:42 . 2009-10-23 20:42 -------- d-----w- c:\program files\WordWeb
2009-10-23 20:39 . 2009-10-23 20:39 -------- d-----w- c:\program files\Arsenal Company
2009-10-23 19:57 . 2009-10-23 19:57 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\AdobeUM
2009-10-23 18:58 . 2009-10-23 18:58 -------- d-----w- c:\program files\Compare & Backup
2009-10-23 18:35 . 2009-10-23 18:35 -------- d-----w- c:\program files\MSECache
2009-10-23 18:35 . 2009-10-23 18:35 -------- d-----w- c:\program files\Microsoft WSE
2009-10-23 17:31 . 2009-10-23 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-10-23 16:27 . 2009-10-23 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-10-23 16:27 . 2009-10-23 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-10-23 16:27 . 2009-10-23 16:27 0 ---ha-w- c:\winnt\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-10-23 16:27 . 2009-10-23 16:27 0 ---ha-w- c:\winnt\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-10-23 16:26 . 2009-10-23 16:26 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\Logitech
2009-10-23 16:26 . 2009-10-23 16:26 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\Leadertech
2009-10-23 16:26 . 2009-10-23 16:25 -------- d-----w- c:\program files\Common Files\Logishrd
2009-10-23 16:25 . 2009-10-23 16:25 -------- d-----w- c:\program files\Logitech
2009-10-23 15:48 . 2009-10-23 15:48 -------- d-----w- c:\documents and settings\MaslaveN\Application Data\JAM Software
2009-10-23 15:34 . 2009-10-23 15:30 -------- d-----w- c:\program files\NYSE Shutdown
2009-10-23 15:30 . 2009-10-23 15:30 40960 ----a-r- c:\documents and settings\MaslaveN\Application Data\Microsoft\Installer\{F2E13906-5AA7-49B9-821C-47F011B2A3CC}\NewShortcut1.EXE
2009-10-23 14:45 . 2009-10-23 11:52 17920 ----a-w- c:\winnt\system32\rpcnetp.dll
2009-10-23 13:43 . 2009-10-23 13:24 -------- d-----w- c:\program files\WinSCP
2009-10-22 14:38 . 2009-10-22 14:37 -------- d-----w- c:\program files\Oracle
2009-10-22 14:35 . 2009-10-22 14:35 -------- d-----w- c:\program files\IBM OnDemand
2009-10-22 14:35 . 2009-10-22 14:35 -------- d-----w- c:\program files\IBM
2009-10-22 14:35 . 2009-10-22 14:35 -------- d-----w- c:\program files\DLE Viewer
2009-10-22 14:34 . 2009-10-21 15:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-22 08:58 . 2009-10-22 08:57 -------- d-----w- c:\program files\Checkpoint
2009-10-22 08:58 . 2009-10-22 08:58 -------- d-----w- c:\program files\Common Files\Check Point
2009-10-22 08:56 . 2009-10-22 08:56 25040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-22 08:56 . 2009-10-22 08:56 -------- d-----w- c:\program files\NYSE Internet Settings
2009-10-22 08:41 . 2009-10-22 08:41 1638400 ----a-w- c:\winnt\system32\Gdiplus.dll
2009-10-22 08:41 . 2009-10-22 08:41 -------- d---a-w- c:\program files\LocalPrinterWizard
2009-10-21 19:49 . 2006-12-01 22:37 56680 ----a-w- c:\winnt\system32\rpcnet.exe
2009-10-21 19:20 . 2009-10-21 19:20 10134 ----a-r- c:\winnt\system32\config\systemprofile\Application Data\Microsoft\Installer\{0A53209E-79B6-4B4C-81F4-974E02CD5A55}\ARPPRODUCTICON.exe
2009-10-21 19:19 . 2009-10-21 19:19 -------- d-----w- c:\program files\VBrick
2009-10-21 19:17 . 2009-10-08 20:22 -------- d-----w- c:\program files\Altiris
2009-10-21 19:17 . 2009-10-21 19:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-21 19:10 . 2009-10-21 19:10 520192 ----a-w- c:\winnt\system32\NYSE screensaver.scr
2009-10-21 19:10 . 2009-03-16 13:36 1290584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\SyKnAppS\SyKnAppS.dll
2009-10-21 19:09 . 2009-03-16 13:56 149768 ----a-w- c:\winnt\system32\drivers\WpsHelper.sys
2009-10-21 15:27 . 2009-10-21 15:27 -------- d-----w- c:\program files\Common Files\Altiris
2009-10-21 15:27 . 2009-10-21 15:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-21 15:27 . 2009-10-21 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-21 15:26 . 2009-10-21 15:26 805 ----a-w- c:\winnt\system32\drivers\SYMEVENT.INF
2009-10-21 15:26 . 2009-10-21 15:26 60800 ----a-w- c:\winnt\system32\S32EVNT1.DLL
2009-10-21 15:26 . 2009-10-21 15:26 123952 ----a-w- c:\winnt\system32\drivers\SYMEVENT.SYS
2009-10-21 15:26 . 2009-10-21 15:26 10563 ----a-w- c:\winnt\system32\drivers\SYMEVENT.CAT
2009-10-21 15:26 . 2009-10-21 15:24 -------- d-----w- c:\program files\Symantec
2009-10-21 15:23 . 2009-10-21 15:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\WinBatch
2009-10-21 15:21 . 2009-10-21 15:21 -------- d-----w- c:\program files\CUAgent
2009-10-21 15:20 . 2009-10-21 15:20 -------- d-----w- c:\program files\Lotus
2009-10-21 15:19 . 2009-10-21 15:19 -------- d-----w- c:\program files\Novell
2009-10-21 15:18 . 2009-10-21 15:18 -------- d-----w- c:\program files\Common Files\Java
2009-10-21 15:18 . 2009-10-21 15:18 2232 ----a-w- c:\winnt\java\Packages\Data\LVR93LFB.DAT
2009-10-21 15:18 . 2009-10-21 15:18 155995 ----a-w- c:\winnt\java\Packages\6PN17T7Z.ZIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Everyday Auto Backup"="c:\program files\Compare & Backup\Everyday Auto Backup\AutoBackup.exe" [2006-03-14 67072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1310720]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"snuvcdsm"="c:\winnt\snuvcdsm.exe" [2007-05-23 20480]
"AccelerometerSysTrayApplet"="c:\winnt\system32\AccelerometerSt.Exe" [2008-06-18 82224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"ZENRC Tray Icon"="c:\winnt\system32\zentray.exe" [2005-05-18 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-16 115560]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2009-02-18 147456]
"SMARTIESettings"="c:\program files\NYSE Internet Settings\SmartIE.exe" [2009-09-09 57856]
"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2009-04-17 68488]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-09 149280]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-11-14 1278736]
"NWTRAY"="NWTRAY.EXE" - c:\winnt\system32\nwtray.exe [2002-03-12 28672]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
CurrentUser.cmd [2008-10-10 335]

c:\documents and settings\MaslaveN\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-10-23 42168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-23 813584]
Socrat Personal v. 3.0.3.lnk - c:\program files\Arsenal Company\Socrat Personal\Scpers32.exe [2009-10-23 274944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2007-07-20 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-01-10 16:52 24576 ----a-w- c:\winnt\system32\Novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2009-02-12 04:17 30104 ----a-w- c:\winnt\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\winnt\system32\AMInit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SFAUDIO;Sonic Focus DSP Driver;c:\winnt\system32\drivers\sfaudio.sys [3/28/2008 5:14 AM 24064]
R1 CCDevice;CCDevice;c:\winnt\system32\drivers\CCDevice.sys [5/29/2007 5:55 PM 9216]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\winnt\system32\drivers\nipplpt.sys [10/21/2009 10:20 AM 18511]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [6/12/2008 11:21 AM 1164536]
R2 BlankScr;HBDevice;c:\winnt\system32\drivers\blankscr.sys [5/23/2005 1:47 PM 6899]
R2 CP_OMDRV;Check Point Office Mode Module;c:\winnt\system32\drivers\omdrv.sys [2/11/2009 11:17 PM 52728]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [11/24/2009 3:07 PM 312592]
R2 LBeepKE;LBeepKE;c:\winnt\system32\drivers\LBeepKE.sys [10/23/2009 11:26 AM 10384]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 9:59 AM 167936]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\winnt\system32\drivers\vnasc.sys [2/11/2009 11:17 PM 126680]
R2 VPN-1;VPN-1 Module;c:\winnt\system32\drivers\vpn.sys [2/11/2009 11:17 PM 679352]
R2 XTAgent;Novell XTier Agent Services;c:\winnt\system32\Novell\xtagent.exe [1/10/2007 11:52 AM 61440]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\winnt\system32\drivers\ATSwpWDF.sys [6/12/2008 1:40 PM 477696]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [10/21/2009 10:17 AM 193840]
R3 Darpan;Darpan;c:\winnt\system32\drivers\Darpan.sys [5/23/2005 1:11 PM 2773]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\winnt\system32\drivers\e1y5132.sys [3/27/2008 6:42 AM 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/21/2009 2:09 PM 102448]
R3 FW1;SecuRemote Miniport;c:\winnt\system32\drivers\fw.sys [2/11/2009 11:17 PM 2242552]
R3 IFXTPM;IFXTPM;c:\winnt\system32\drivers\ifxtpm.sys [4/4/2007 2:16 PM 41216]
R3 rismc32;RICOH Smart Card Reader;c:\winnt\system32\drivers\rismc32.sys [12/19/2006 8:08 PM 47616]
S3 COH_Mon;COH_Mon;c:\winnt\system32\drivers\COH_Mon.sys [3/16/2009 8:33 AM 23888]
S3 DMService;Whale Component Manager;c:\winnt\DOWNLO~1\DMService.exe [10/21/2009 10:09 AM 423576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myexchange.nyx.com/nyx.nsf/home/welcome?open&s=48649876
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file:///C:/WINNT/Java/classes/xmldso.cab
DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} - hxxp://reg.e.nyse.com/NWDir.ocx
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus
AddRemove-Altiris HP Client Manager Agent - c:\program files\Altiris\Altiris Agent\HPCMSAgent\Uninstall.exe uninstall
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 15:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\AEXNSC20091124-154211.log 795 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xBA168000]<< >>UNKNOWN [0xBA158000]<< >>UNKNOWN [0xBA398000]<< >>UNKNOWN [0x806E4000]<< >>UNKNOWN [0xB9F79000]<< >>UNKNOWN [0xB9E13000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xba16cf28
\Driver\ACPI -> 0xb9f7fcb8
\Driver\atapi -> 0xb9e01852
\Driver\iaStor -> 0xb9e51988
IoDeviceObjectType -> DeleteProcedure -> 0x805836a8
ParseProcedure -> 0x805827e8
SecurityProcedure -> 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x805836a8
ParseProcedure -> 0x805827e8
SecurityProcedure -> 0x80583d4a
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1528)
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\winnt\system32\xmlparse.dll
c:\winnt\system32\msi.dll
c:\winnt\system32\ZenMup.dll
c:\winnt\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Novell\ZENworks\WMNTAPI.DLL
c:\winnt\system32\ckpNotify.dll

- - - - - - - > 'Explorer.exe'(9104)
c:\winnt\system32\WININET.dll
c:\program files\Arsenal Company\Socrat Personal\schook32.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Novell\ZENworks\NLS\english\NalUIRes.dll
c:\winnt\system32\msi.dll
c:\winnt\system32\IEFRAME.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\winnt\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\winnt\system32\NLS\ENGLISH\NOVNPNTR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\winnt\System32\SCardSvr.exe
c:\program files\Altiris\AClient\AClient.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\winnt\system32\ccsrvc.exe
c:\program files\Altiris\Carbon Copy\shellker.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Novell\ZENworks\nalntsrv.exe
c:\winnt\system32\rpcnet.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Novell\ZENworks\wm.exe
c:\program files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Watchdog.exe
c:\program files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe
c:\winnt\system32\Ati2evxx.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\progra~1\Altiris\CARBON~1\client.exe
c:\program files\Checkpoint\Integrity Client\SecuRemote\bin\SR_GUI.Exe
c:\winnt\system32\wbem\wmiapsrv.exe
c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Novell\ZENworks\NalAgent.exe
.
**************************************************************************
.
Completion time: 2009-11-24 15:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-24 20:46

Pre-Run: 36,332,396,544 bytes free
Post-Run: 36,499,292,160 bytes free

- - End Of File - - 570397720DCAC5DF60BFF12A11DEA8FE

xyz1010
2009-11-25, 16:46
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:28 PM, on 11/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Novell\XTAgent.exe
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\rpcnet.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINNT\system32\wbem\wmiapsrv.exe
C:\WINNT\system32\wbem\wmiprvse.exe
C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINNT\snuvcdsm.exe
C:\WINNT\system32\AccelerometerSt.Exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\NYSE Internet Settings\SmartIE.exe
C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Compare & Backup\Everyday Auto Backup\AutoBackup.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Arsenal Company\Socrat Personal\Scpers32.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Checkpoint\Integrity Client\IClient.exe
C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myexchange.nyx.com/nyx.nsf/home/welcome?open&s=48649876
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.corp.nyse.com/pac/webproxy.pac
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [snuvcdsm] C:\WINNT\snuvcdsm.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINNT\system32\AccelerometerSt.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\system32\zentray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SMARTIESettings] C:\Program Files\NYSE Internet Settings\SmartIE.exe
O4 - HKLM\..\Run: [Check Point Endpoint Tray Application] C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKCU\..\Run: [Everyday Auto Backup] C:\Program Files\Compare & Backup\Everyday Auto Backup\AutoBackup.exe /1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - .DEFAULT User Startup: CurrentUser.cmd (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Socrat Personal v. 3.0.3.lnk = C:\Program Files\Arsenal Company\Socrat Personal\Scpers32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.nyse.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://reg.e.nyse.com/NWDir.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.nyx.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.nyx.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.nyx.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.nyse.com,nyse.com,siac.com,Tradearca.com,Corp.pacificex.net,Trading.pacificex.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.nyx.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.nyse.com,nyse.com,siac.com,Tradearca.com,Corp.pacificex.net,Trading.pacificex.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.nyse.com,nyse.com,siac.com,Tradearca.com,Corp.pacificex.net,Trading.pacificex.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINNT\system32\AMInit.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINNT\system32\rpcnet.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\Checkpoint\Integrity Client\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINNT\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 14429 bytes

Shaba
2009-11-25, 21:44
Please install recovery console manually as described in my link, rerun combofix and post back a fresh combofix log.

tashi
2009-12-03, 20:02
xyz1010 this thread has been closed due to inactivity.

As it has been four days or more since your last post, it will not be re-opened.

If you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread.

Please do not add any logs that might have been requested previously, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start your own topic.

Thank you Shaba.