rcbroncos
2010-04-26, 18:26
Hi All,
Recent scans using Malwarebytes have resulted in numerous "Backdoor.Bot, Rogue.AntiVirusPro, Trojan.Dowloader" entries. Every time I check fix and reboot, the subsequent scan lists them again.
Below I have included the following log files for you:
1) Malwarebytes log
2) HijackThis log
Thanks, for any help you can give me!
++++++++++++++++++++++++++++++++
Below is the log file from MalwareBytes:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4036
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
04/25/2010 11:47:46 PM
mbam-log-2010-04-25 (23-47-46).txt
Scan type: Quick scan
Objects scanned: 160344
Time elapsed: 8 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 88
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Common Files\System\WinUpdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Program Files\Windows Updates\winupdate.exe (Backdoor.Bifrose) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\buser\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\rchandler\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Ron test\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\top\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\rchandler\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\buser\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Ron test\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\top\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\rchandler\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\buser\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Ron test\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\top\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\rchandler\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\buser\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Ron test\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\top\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\buser\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\rchandler\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Ron test\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\top\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\utorrent.exe (Worm.AutoRun) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\rchandler\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\buser\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Ron test\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\top\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\buser\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\rchandler\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Ron test\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\top\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
++++++++++++++++++++++++++++++++
Here is the HiJackThis log:
++++++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:38:13 AM, on 04/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NMapWin\bin\nmapserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Tenable\Nessus\nessusd.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mstart.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mlauncher.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
C:\Program Files\Sprint\Sprint SmartView\bmctl.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Documents and Settings\rchandler\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0071218
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=internetpln.eds.com:81;http=internetpln.eds.com:80;https=internetpln.eds.com:443;socks=internetpln.eds.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com;*.hp.com;*.hp.net;*.hpqcorp.net;*.cpqcorp.net;*.hpshopping.com;*.mphasis.com;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEToolbarBHO Class - {1A1DAC8C-074D-440F-8707-7009A672D7D1} - C:\Program Files\LinkedIn\IE Toolbar\3.0.4.1100\LinkedinIEToolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: LinkedIn Toolbar - {BB670D0B-5C46-40C7-B38B-40DD26987723} - C:\Program Files\LinkedIn\IE Toolbar\3.0.4.1100\LinkedinIEToolbar.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TOP Client Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -a
O4 - HKLM\..\Run: [RDVCHG] "C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe"
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\452\g2mstart.exe" "/Trigger RunAtLogon"
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Linked&In Search - res://C:\Program Files\LinkedIn\IE Toolbar\3.0.4.1100\LinkedinIEToolbar.dll/ContextMenu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1268861057014
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1270633292242
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://milestone.webex.com/client/T27L/webex/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SafirRosetti.local
O17 - HKLM\Software\..\Telephony: DomainName = SafirRosetti.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SafirRosetti.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SafirRosetti.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Cypherix service (cypherixservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cypherixsrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec Backup Exec Desktop Agent Change Journal Reader (DLOChangeJournalSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TOP Managed Services Agent (KATOPNY985365886345188) - Kaseya International Limited - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMap - Unknown owner - C:\Program Files\NMapWin\bin\nmapserv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PsShutdown (PsShutdownSvc) - Systems Internals - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolarWinds SFTP/SCP Server (SolarWinds SFTP Server 1.0.0.18) - SolarWinds - C:\Program Files\SolarWinds\SftpServer\SolarWindsSftpServer.exe
O23 - Service: SolarWinds TFTP Server - SolarWinds - C:\Documents and Settings\rchandler\Application Data\SolarWinds\Toolset\SolarWinds TFTP Server.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - SmithMicro Inc. - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Tenable Nessus - Tenable Network Security - C:\Program Files\Tenable\Nessus\nessusd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 21143 bytes
+++++++++++++++++++++++++++++++++++++++++++++
Recent scans using Malwarebytes have resulted in numerous "Backdoor.Bot, Rogue.AntiVirusPro, Trojan.Dowloader" entries. Every time I check fix and reboot, the subsequent scan lists them again.
Below I have included the following log files for you:
1) Malwarebytes log
2) HijackThis log
Thanks, for any help you can give me!
++++++++++++++++++++++++++++++++
Below is the log file from MalwareBytes:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4036
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
04/25/2010 11:47:46 PM
mbam-log-2010-04-25 (23-47-46).txt
Scan type: Quick scan
Objects scanned: 160344
Time elapsed: 8 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 88
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Common Files\System\WinUpdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Program Files\Windows Updates\winupdate.exe (Backdoor.Bifrose) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\buser\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\rchandler\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Ron test\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\top\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\rchandler\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\buser\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Ron test\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\top\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\rchandler\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\buser\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Ron test\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\top\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\rchandler\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\buser\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Ron test\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\top\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\buser\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\rchandler\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Ron test\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\top\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\utorrent.exe (Worm.AutoRun) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\rchandler\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\buser\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Ron test\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\top\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\administrator.SAFIRROSETTI\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\buser\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\rchandler\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Ron test\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\SafirRosetti Dallas\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\top\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
++++++++++++++++++++++++++++++++
Here is the HiJackThis log:
++++++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:38:13 AM, on 04/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NMapWin\bin\nmapserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Tenable\Nessus\nessusd.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mstart.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mlauncher.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
C:\Program Files\Sprint\Sprint SmartView\bmctl.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Documents and Settings\rchandler\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0071218
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=internetpln.eds.com:81;http=internetpln.eds.com:80;https=internetpln.eds.com:443;socks=internetpln.eds.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com;*.hp.com;*.hp.net;*.hpqcorp.net;*.cpqcorp.net;*.hpshopping.com;*.mphasis.com;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEToolbarBHO Class - {1A1DAC8C-074D-440F-8707-7009A672D7D1} - C:\Program Files\LinkedIn\IE Toolbar\3.0.4.1100\LinkedinIEToolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: LinkedIn Toolbar - {BB670D0B-5C46-40C7-B38B-40DD26987723} - C:\Program Files\LinkedIn\IE Toolbar\3.0.4.1100\LinkedinIEToolbar.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TOP Client Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -a
O4 - HKLM\..\Run: [RDVCHG] "C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe"
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\452\g2mstart.exe" "/Trigger RunAtLogon"
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Linked&In Search - res://C:\Program Files\LinkedIn\IE Toolbar\3.0.4.1100\LinkedinIEToolbar.dll/ContextMenu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1268861057014
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1270633292242
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://milestone.webex.com/client/T27L/webex/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SafirRosetti.local
O17 - HKLM\Software\..\Telephony: DomainName = SafirRosetti.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SafirRosetti.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SafirRosetti.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Cypherix service (cypherixservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cypherixsrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec Backup Exec Desktop Agent Change Journal Reader (DLOChangeJournalSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TOP Managed Services Agent (KATOPNY985365886345188) - Kaseya International Limited - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMap - Unknown owner - C:\Program Files\NMapWin\bin\nmapserv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PsShutdown (PsShutdownSvc) - Systems Internals - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolarWinds SFTP/SCP Server (SolarWinds SFTP Server 1.0.0.18) - SolarWinds - C:\Program Files\SolarWinds\SftpServer\SolarWindsSftpServer.exe
O23 - Service: SolarWinds TFTP Server - SolarWinds - C:\Documents and Settings\rchandler\Application Data\SolarWinds\Toolset\SolarWinds TFTP Server.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - SmithMicro Inc. - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Tenable Nessus - Tenable Network Security - C:\Program Files\Tenable\Nessus\nessusd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 21143 bytes
+++++++++++++++++++++++++++++++++++++++++++++