Access denied Automatic updates / programs freezing

Status
Not open for further replies.
G

Galvatron

New member
hi,

I recently ran Malware bytes and Spyware Doctor w/ Antivirus and quarantined several trojans such as vundo, virtumonde, Fake.alert, Pakes!sd6, HeurEngine.packed, trojan.downloader, etc.

Not sure if i've removed everything from the registry. I cannot turn on Automatic updates due to an Access Denied error message. Although i am not getting pop ups anymore, firefox, explorer windows and other programs freeze and require a hard reboot.

Any detective help would be very much appreciated.

Thanks,
Brian



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:09 AM, on 3/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.audiogang.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [t0pm168n2dt2kwi7nua9o480hgubr] C:\DOCUME~1\BRIAND~1\LOCALS~1\Temp\fpxgq5n3hl5.exe
O4 - HKCU\..\Run: [enatn03kuv6h83esrbr303e60ihis4vxwj4lu7p0ixx7] C:\DOCUME~1\BRIAND~1\LOCALS~1\Temp\a0olvo2o77i0.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ihlmel.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 8041 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

Hi Brian, you might want to review the "Before you Post" instructions again.
Until a helper responds, the HJT log has not been analyzed. Please wait to be advised and do NOT run fixes until asked.
Click to expand...

If you still have the scan results from MBAM, please post it.

Let's have a look like this:

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks...Phil
 
ComboFix 09-03-15.01 - Brian DiDomenico 2009-03-17 1:45:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.614 [GMT -7:00]
Running from: c:\documents and settings\Brian DiDomenico\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\abkajyjs.dll
c:\windows\system32\bcjqvu.dll
c:\windows\system32\fhoscnaj.ini
c:\windows\system32\mjjnelvd.ini
c:\windows\system32\qidfcpgu.ini
c:\windows\system32\qoMfdcdB.dll.vir
c:\windows\system32\tnlsyfyh.ini
c:\windows\system32\vcar3sdu3yaj3.dll
c:\windows\system32\vvmvqgai.ini

.
((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-11 20:46 . 2009-03-12 01:16 <DIR> d-------- c:\program files\NOS
2009-03-11 20:46 . 2009-03-12 01:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-11 02:09 . 2009-03-11 02:09 <DIR> d-------- c:\program files\ERUNT
2009-03-07 21:18 . 2009-03-17 01:37 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-07 21:18 . 2009-03-07 21:20 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-07 21:18 . 2009-03-07 21:18 <DIR> d-------- c:\documents and settings\Brian DiDomenico\Application Data\PC Tools
2009-03-07 21:18 . 2009-03-07 21:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-07 21:18 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-03-07 21:18 . 2009-03-07 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-03-07 21:18 . 2009-03-07 21:22 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-03-07 21:18 . 2009-03-07 21:22 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-03-07 21:18 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-03-02 21:39 . 2009-03-02 21:39 <DIR> d-------- c:\program files\SmartFTP Client
2009-03-02 21:38 . 2009-03-02 21:38 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files
2009-02-22 00:59 . 2009-02-22 00:59 <DIR> d-------- c:\program files\SpacialAudio
2009-02-22 00:15 . 2009-02-22 00:15 <DIR> d-------- c:\program files\MySQL
2009-02-22 00:15 . 2009-02-22 00:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\MySQL
2009-02-19 13:16 . 2009-02-19 13:16 126,976 --a------ C:\xuli.exe
2009-02-19 13:16 . 2009-02-19 13:16 2 --a------ C:\600316945
2009-02-19 13:16 . 2009-02-19 13:16 0 --a------ C:\desae.exe
2009-02-19 13:15 . 2009-02-19 13:15 39,936 --a------ C:\cwxwwgtl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 08:51 67,363,104 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-17 08:50 915,740 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-17 08:50 150,080 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-17 08:50 1,511,456 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-17 08:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-17 08:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-17 08:02 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-03-12 14:27 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\Azureus
2009-03-12 01:46 --------- d-----w c:\program files\Common Files\Adobe
2009-03-12 01:46 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\AdobeUM
2009-03-11 06:26 --------- d-----w c:\program files\MagicISO
2009-03-05 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-03 19:53 --------- d-----w c:\program files\SpywareBlaster
2009-02-24 08:57 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\SmartFTP
2009-02-24 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-23 10:01 --------- d-----w c:\program files\Trillian
2009-02-23 07:15 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-21 08:21 --------- d-----w c:\program files\Java
2009-02-20 04:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-19 21:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-19 08:19 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\Skype
2009-02-19 02:39 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\skypePM
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-21 19:27 --------- d-----w c:\program files\Common Files\Agfa
2009-01-21 19:27 --------- d-----w c:\program files\Agfa
2009-01-21 00:11 --------- d-----w c:\program files\Common Files\4Team
2009-01-21 00:11 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\4Team
2009-01-21 00:10 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2007-05-22 08:10 70,064 -c--a-w c:\documents and settings\Brian DiDomenico\Application Data\GDIPFONTCACHEV1.DAT
2001-03-28 20:02 122,880 ----a-w c:\windows\inf\Agfa\message.exe
2008-09-01 02:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\Brian DiDomenico\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-10 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
DMX 6fire 2496 ControlPanel.lnk - c:\program files\TerraTec\DMX 6fire\DMX6Fire.exe [2006-02-07 335872]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ihlmel.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IviRegMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\TYPO3_4.2.2\\Apache\\bin\\Apache.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-03-07 160792]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 NeatReceipts Database Controller;NeatReceipts Database Controller;c:\program files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [2008-02-05 228480]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2006-03-04 135168]
R3 dmxfire;DMX6fire WDM Audio;c:\windows\system32\drivers\dmx6fire.sys [2003-08-29 148724]
R3 dmxsens;dmxsens;c:\windows\system32\drivers\dmxsens.sys [2003-07-22 403968]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2007-04-04 20160]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-07 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Common Files\Symantec Shared\NMAIN.EXE [2001-08-17 20:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.audiogang.org/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brian DiDomenico\Application Data\Mozilla\Firefox\Profiles\wbbqgkyk.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 01:52:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1647877149-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D2EB8D1-1029-869F-2FFF-401C4E675D1F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iadglmggcjmkmacchk"=hex:6a,61,70,6c,67,66,65,6a,62,63,61,67,61,64,6f,61,6d,63,
70,65,00,00
"hajgfmocnppholnn"=hex:6a,61,70,6c,6e,66,64,68,63,67,64,69,61,64,62,63,6d,6c,
6a,62,00,ff
"iapjlpehpapjojlhlp"=hex:63,61,63,6c,6e,65,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(972)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-03-17 1:55:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 08:55:44

Pre-Run: 5,544,574,976 bytes free
Post-Run: 5,847,863,296 bytes free

207 --- E O F --- 2009-01-15 08:09:38


Last logged Malwarebytes
Malwarebytes' Anti-Malware 1.34
Database version: 1779
Windows 5.1.2600 Service Pack 3

3/7/2009 10:12:50 PM
mbam-log-2009-03-07 (22-12-50).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 347761
Time elapsed: 1 hour(s), 25 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:39 AM, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.audiogang.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ihlmel.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 7096 bytes



Ad-Aware SE Personal
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 7.0.7
Agfa ScanWise 2.00
Azureus
Business Contact Manager for Outlook 2007 SP1
Business Contact Manager for Outlook 2007 SP1
Cakewalk Pyro 2003
DMX 6fire 24/96 ControlPanel
DVD Decrypter (Remove Only)
DVD Shrink 3.2
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 2.0 (KB922981)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
HP Business Inkjet 2230/2280
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Kaspersky Anti-Virus 7.0
Kaspersky Anti-Virus 7.0
Last.fm 1.5.1.29527
LiveReg (Symantec Corporation)
LiveUpdate 1.7 (Symantec Corporation)
Macromedia Flash Player 8
Magic ISO Maker v5.5 (build 0273)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Express Edition (NR2007)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
MySQL Server 5.1
NeatReceipts Database Controller
NeatReceipts Professional
NeatReceipts Professional 3.0 Core Files
Norton SystemWorks 2002
NVIDIA Drivers
Pdf995
PdfEdit995
PowerQuest BootMagic 8.0
PowerQuest PartitionMagic 8.0
QuickTime
Roxio Easy Media Creator 7
SAM Broadcaster (remove only)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Signature995
Skype™ 3.8
SmartFTP Client
SmartFTP Client
SmartFTP Client 2.0 Setup Files (remove only)
SmartFTP Client 3.0 Setup Files (remove only)
Spybot - Search & Destroy
Spyware Doctor 6.0
SpywareBlaster 4.1
StuffIt Deluxe
Trillian
TYPO3Winstaller - TYPO3 4.2.2
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VIA Platform Device Manager
Winamp (remove only)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
XviD 1.1 final uninstall
 
Hi Brian, it is hard to troubleshoot malware when multiple antivirus programs competing may be part of the problem? I am also seeing Norton SystemWorks
as well as what combofix reports?
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
According to combofix, Spyware Doctor is also antivirus and you want only one running on the computer. If Spyware Doctor supplies antivirus protection, uninstall the other antivirus program.

Before you post another HJT log, please be sure there is only one antivirus program running on this computer.

Azureus <<< p2p program...uninstall
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Click to expand...

Please follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\xuli.exe
C:\desae.exe
C:\cwxwwgtl.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Folder::
C:\600316945
c:\documents and settings\Brian DiDomenico\Application Data\Azureus

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - AppInit_DLLs: ihlmel.dll <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

No need to download MBAM if you still have it, but be sure to update and run it as instructed.
(Database version: 1857 3/17/2009)

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks

This can be done as time permits, but it is important, and may be why you are infected.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 Plugin
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 7.0.7 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Azureus <<< p2p, must be uninstalled

Java(TM) 6 Update 11
Java(TM) 6 Update 7
Out of date and unsafe, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
 
Hi Phil,

I uninstalled Kaspersky and Azuerus. Norton Systemworks is only for reg clean and optimization. The antivirus has been disabled.

O20 in HiJack was gone.

computer seems to be running ok but i am still unable to turn on automatic updates. Either through Automatic Updates in control panel or through Admin Services (windows xp pro). When i change the service type from disabled to automatic I get en error saying Access Denied.

Please advise. Thank you!!!
Brian




ComboFix 09-03-15.01 - Brian DiDomenico 2009-03-17 12:18:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.500 [GMT -7:00]
Running from: c:\documents and settings\Brian DiDomenico\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian DiDomenico\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\cwxwwgtl.exe
C:\desae.exe
C:\xuli.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\600316945\
C:\cwxwwgtl.exe
C:\desae.exe
c:\documents and settings\Brian DiDomenico\Application Data\Azureus
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\.certs
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\.keystore
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\.lock
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\06E1F7FB236B06BC356F889A28688232960B82B3.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\06E1F7FB236B06BC356F889A28688232960B82B3.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\0A7891B3FDCC54E89B730206491B9581305C07C2.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\0A7891B3FDCC54E89B730206491B9581305C07C2.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\0C13782D67A24C738632144D2B9A4F9A171AD869.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\0C13782D67A24C738632144D2B9A4F9A171AD869.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\0F18E8F8407CC3C00559B4CF81038FA9CF99A56F.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\0F18E8F8407CC3C00559B4CF81038FA9CF99A56F.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\10DAE7D164205A6BDDF8EFF609B134C6E5DE1A20.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\10DAE7D164205A6BDDF8EFF609B134C6E5DE1A20.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\14EC977A4FDCB1B29B90A4455D6E7F8410C23166.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\14EC977A4FDCB1B29B90A4455D6E7F8410C23166.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\15089C9C99CC5B05316CFCDE2EA1F43997953A3E.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\15089C9C99CC5B05316CFCDE2EA1F43997953A3E.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\1689ED71E345A7B7D3C93F110AA5FEEBF72E8C9F.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\1689ED71E345A7B7D3C93F110AA5FEEBF72E8C9F.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\176CB1EF55D24AD6064C035C3AEA2163176C1987.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\176CB1EF55D24AD6064C035C3AEA2163176C1987.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\1D2D92B38584071E9B65B9CB26C95B3674CA3BEC.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\1D2D92B38584071E9B65B9CB26C95B3674CA3BEC.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\23013241DD13741FE7E3B19DC5ACDB8D8C8AEA7F.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\23013241DD13741FE7E3B19DC5ACDB8D8C8AEA7F.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\2E8569C915187E3ABA1B0827821F4D4D311088F9.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\2E8569C915187E3ABA1B0827821F4D4D311088F9.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\30FB7ABB0458DC39028D512B720D4D45901E2F9A.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\30FB7ABB0458DC39028D512B720D4D45901E2F9A.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\3360BBFC0BD6544247A17B5E4A032CAD632064FB.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\3360BBFC0BD6544247A17B5E4A032CAD632064FB.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\36F81C346C338DE0E91599DE9102C96C4D66853D.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\36F81C346C338DE0E91599DE9102C96C4D66853D.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\38CB7D94FA5F40B89D2E76BAD7B02C17D017C302.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\38CB7D94FA5F40B89D2E76BAD7B02C17D017C302.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\3CFE5DD4615FC9804A57415478E955D03D6EEF5E.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\3CFE5DD4615FC9804A57415478E955D03D6EEF5E.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\40A9EF15D9CD65618306FF73860194ACF752B5F3.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\40A9EF15D9CD65618306FF73860194ACF752B5F3.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\451BAA110F4AFC1BB97EEED8B528E7C57317C748.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\451BAA110F4AFC1BB97EEED8B528E7C57317C748.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\4E23A8EAF9AABA68171C5FEC88766EB2D4CAB064.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\4E23A8EAF9AABA68171C5FEC88766EB2D4CAB064.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\51BD5B29E7E8DFE48A1D082CF07896F1D1742811.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\51BD5B29E7E8DFE48A1D082CF07896F1D1742811.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\64AB8A9CCC38AF182F0DBDB56218D36EBED25E33.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\64AB8A9CCC38AF182F0DBDB56218D36EBED25E33.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\69BF098E6EB00F9959D64D11144786B3506E650B.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\69BF098E6EB00F9959D64D11144786B3506E650B.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\746076CBDBB8D35C92E6A1158BCAFB25C71DB3DA.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\746076CBDBB8D35C92E6A1158BCAFB25C71DB3DA.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7592FC8E745FF98D40CCAC51195362FDFA360E4E.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7592FC8E745FF98D40CCAC51195362FDFA360E4E.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7643B1D1C6926BD4C0508C5BD0561BC64EAB12E0.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7643B1D1C6926BD4C0508C5BD0561BC64EAB12E0.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7877A1EA935075247627B10CE5086CB1AC1B46A8.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7877A1EA935075247627B10CE5086CB1AC1B46A8.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\78AE058283783775DFA1CE09F60047596F670CE8.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\78AE058283783775DFA1CE09F60047596F670CE8.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7D550CC3159FE95AA7CB4B2A4793783F526D09A9.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7D550CC3159FE95AA7CB4B2A4793783F526D09A9.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7ED5A2DC1B7DB474196F82983133175BB5CB0B1B.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\7ED5A2DC1B7DB474196F82983133175BB5CB0B1B.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\863442B663F166A62461B5304E9D9C9E2B55BD6C.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\863442B663F166A62461B5304E9D9C9E2B55BD6C.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\873410613089CB7FE9FAED3445B70D58DE3DF131.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\873410613089CB7FE9FAED3445B70D58DE3DF131.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\8B6E3C9754EAB79185389159A28888EE62624F68.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\8B6E3C9754EAB79185389159A28888EE62624F68.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\92808514A8D4B852F591857044297073016EF879.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\92808514A8D4B852F591857044297073016EF879.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\9E3F68A31243599CCDF704CB07C71EF3DEB39BEE.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\9E3F68A31243599CCDF704CB07C71EF3DEB39BEE.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\A2628929B63EC2988AF0AB3CD6224C97EFDDDC17.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\A2628929B63EC2988AF0AB3CD6224C97EFDDDC17.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\AB2AD2B222A580A8970EE680F2F8DC8F81410BBC.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\AB2AD2B222A580A8970EE680F2F8DC8F81410BBC.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\AB4A61ACE28FEE06EC8DA03296BE016057A3CA76.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\AB4A61ACE28FEE06EC8DA03296BE016057A3CA76.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\B49ED1DBCB7138D27BE8D98CE612871DDB9CBAB9.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\B49ED1DBCB7138D27BE8D98CE612871DDB9CBAB9.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\B6DB5DF7D635D8C695B3503E6B8B2AD983FB5281.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\B6DB5DF7D635D8C695B3503E6B8B2AD983FB5281.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\B7055586C2A04BB3D6D9EDB8BA9064D908AFDEEA.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\B7055586C2A04BB3D6D9EDB8BA9064D908AFDEEA.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\C5ED81A8B74EDC7E8D1EA5AE2F80EE28E0583A49.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\C5ED81A8B74EDC7E8D1EA5AE2F80EE28E0583A49.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\C71312FDD8CFA0DD410FB69499DE2D8DBF09CDD0.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\C71312FDD8CFA0DD410FB69499DE2D8DBF09CDD0.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\C9E5FCA8CA503179E55B8A5C96687C3CC07EE9DA.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\C9E5FCA8CA503179E55B8A5C96687C3CC07EE9DA.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\cache.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\CD3DE28453ABEFEF6B4700A8A5937A1599BB5393.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\CD3DE28453ABEFEF6B4700A8A5937A1599BB5393.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\CF6BD52A2B5B2BBEEBD9A152DFDE0933905264EE.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\CF6BD52A2B5B2BBEEBD9A152DFDE0933905264EE.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\D3CB4D69CED0BD6A0C106FD09FE151E7ACF516FF.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\D3CB4D69CED0BD6A0C106FD09FE151E7ACF516FF.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\DCB0807F068B99EE9EE2C6454B2CA0B30519B4B0.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\DCB0807F068B99EE9EE2C6454B2CA0B30519B4B0.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\DD6FB94CF8FF66800A6C63F12F7A898158AF3C8B.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\DD6FB94CF8FF66800A6C63F12F7A898158AF3C8B.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\E1CC48703CB1D0866FA2A3581D70AC66C257B2D4.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\E1CC48703CB1D0866FA2A3581D70AC66C257B2D4.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\E647D18FF8D24009602B9AC4D52A64114F3EFBDF.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\E647D18FF8D24009602B9AC4D52A64114F3EFBDF.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\E9ACE30CA187EA57F36B5486E6009CB6231734F1.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\E9ACE30CA187EA57F36B5486E6009CB6231734F1.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\EE79B6A03AA3B5F575A55C3F2945BD971A9383CC.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\EE79B6A03AA3B5F575A55C3F2945BD971A9383CC.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\EF262D3C123DF0AC0CC25A28869B67A6A8F7D0DA.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\EF262D3C123DF0AC0CC25A28869B67A6A8F7D0DA.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\F601FD5921AB4C465831EF0AB69ED828EA08C525.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\F601FD5921AB4C465831EF0AB69ED828EA08C525.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\FBF8CF245CCC3E97D8EE04840D85FA1A5552B1AE.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\FBF8CF245CCC3E97D8EE04840D85FA1A5552B1AE.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\FF79112EC04DCEB90A7576856D20DE52B2E81066.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\active\FF79112EC04DCEB90A7576856D20DE52B2E81066.dat.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\azureus.config
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\azureus.statistics
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\banips.config
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\banips.config.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\dht\general.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\dht\version.dat
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\downloads.config
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1235458099765_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1235458099765_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1235458099765_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1235458099765_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1235458099765_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1235458099765_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1235458099765_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236046944078_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236046944078_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236046944078_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236046944078_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236046944078_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236046944078_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236046944078_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236048348156_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236048348156_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236048348156_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236048348156_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236048348156_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236048348156_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236048348156_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236062652265_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236062652265_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236062652265_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236062652265_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236062652265_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236062652265_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236062652265_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236239287640_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236239287640_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236239287640_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236239287640_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236239287640_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236239287640_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236239287640_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236241754515_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236241754515_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236241754515_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236241754515_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236241754515_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236241754515_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236241754515_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236402113500_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236402113500_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236402113500_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236402113500_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236402113500_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236402113500_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236402113500_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415503375_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415503375_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415503375_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415503375_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415503375_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415503375_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415503375_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415703312_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415703312_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415703312_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415703312_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415703312_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415703312_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236415703312_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236492978453_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236492978453_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236492978453_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236492978453_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236492978453_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236492978453_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236492978453_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236493051671_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236493051671_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236493051671_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236493051671_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236493051671_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236493051671_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236493051671_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236494437031_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236494437031_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236494437031_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236494437031_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236494437031_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236494437031_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236494437031_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495214562_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495214562_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495214562_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495214562_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495214562_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495214562_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495214562_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495938328_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495938328_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495938328_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495938328_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495938328_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495938328_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1236495938328_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1237315822031_alerts_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1237315822031_debug_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1237315822031_debug_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1237315822031_seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1237315822031_seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1237315822031_thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\save\1237315822031_thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\seltrace_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\tmp\AZU1679356796301126541.tmp
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\tmp\AZU2077343192427494317.tmp
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\tmp\AZU300671199841179165.tmp
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\tmp\AZU6438734136269056778.tmp
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\tmp\AZU7469883865896599773.tmp
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\tmp\AZU777806281531103676.tmp
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\tracker.config
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\update.log
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\update.properties
c:\documents and settings\Brian DiDomenico\Application Data\Azureus\upnp_trace1.log
C:\xuli.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-17 11:48 . 2009-03-17 11:48 <DIR> d-------- c:\windows\LastGood
2009-03-11 20:46 . 2009-03-12 01:16 <DIR> d-------- c:\program files\NOS
2009-03-11 20:46 . 2009-03-12 01:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-11 02:09 . 2009-03-11 02:09 <DIR> d-------- c:\program files\ERUNT
2009-03-07 21:18 . 2009-03-17 01:37 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-07 21:18 . 2009-03-07 21:20 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-07 21:18 . 2009-03-07 21:18 <DIR> d-------- c:\documents and settings\Brian DiDomenico\Application Data\PC Tools
2009-03-07 21:18 . 2009-03-07 21:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-07 21:18 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-03-07 21:18 . 2009-03-07 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-03-07 21:18 . 2009-03-07 21:22 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-03-07 21:18 . 2009-03-07 21:22 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-03-07 21:18 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-03-02 21:39 . 2009-03-02 21:39 <DIR> d-------- c:\program files\SmartFTP Client
2009-03-02 21:38 . 2009-03-02 21:38 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files
2009-02-22 00:59 . 2009-02-22 00:59 <DIR> d-------- c:\program files\SpacialAudio
2009-02-22 00:15 . 2009-02-22 00:15 <DIR> d-------- c:\program files\MySQL
2009-02-22 00:15 . 2009-02-22 00:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\MySQL
2009-02-19 13:16 . 2009-02-19 13:16 2 --a------ C:\600316945

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 18:56 --------- d-----w c:\program files\Azureus
2009-03-17 08:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-17 08:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-17 08:02 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-03-12 01:46 --------- d-----w c:\program files\Common Files\Adobe
2009-03-12 01:46 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\AdobeUM
2009-03-11 06:26 --------- d-----w c:\program files\MagicISO
2009-03-05 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-03 19:53 --------- d-----w c:\program files\SpywareBlaster
2009-02-24 08:57 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\SmartFTP
2009-02-24 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-23 10:01 --------- d-----w c:\program files\Trillian
2009-02-21 08:21 --------- d-----w c:\program files\Java
2009-02-20 04:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-19 21:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-19 08:19 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\Skype
2009-02-19 02:39 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\skypePM
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-21 19:27 --------- d-----w c:\program files\Common Files\Agfa
2009-01-21 19:27 --------- d-----w c:\program files\Agfa
2009-01-21 00:11 --------- d-----w c:\program files\Common Files\4Team
2009-01-21 00:11 --------- d-----w c:\documents and settings\Brian DiDomenico\Application Data\4Team
2009-01-21 00:10 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2007-05-22 08:10 70,064 -c--a-w c:\documents and settings\Brian DiDomenico\Application Data\GDIPFONTCACHEV1.DAT
2001-03-28 20:02 122,880 ----a-w c:\windows\inf\Agfa\message.exe
2008-09-01 02:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-17_ 1.53.41.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-13 20:28:40 24,592 ----a-w c:\windows\LastGood\system32\DRIVERS\klim5.sys
+ 2009-03-17 18:37:02 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_3c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\Brian DiDomenico\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-10 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
DMX 6fire 2496 ControlPanel.lnk - c:\program files\TerraTec\DMX 6fire\DMX6Fire.exe [2006-02-07 335872]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IviRegMgr"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\TYPO3_4.2.2\\Apache\\bin\\Apache.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-03-07 160792]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 NeatReceipts Database Controller;NeatReceipts Database Controller;c:\program files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [2008-02-05 228480]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2006-03-04 135168]
R3 dmxfire;DMX6fire WDM Audio;c:\windows\system32\drivers\dmx6fire.sys [2003-08-29 148724]
R3 dmxsens;dmxsens;c:\windows\system32\drivers\dmxsens.sys [2003-07-22 403968]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2007-04-04 20160]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-07 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Common Files\Symantec Shared\NMAIN.EXE [2001-08-17 20:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.audiogang.org/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brian DiDomenico\Application Data\Mozilla\Firefox\Profiles\wbbqgkyk.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 12:21:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1647877149-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D2EB8D1-1029-869F-2FFF-401C4E675D1F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iadglmggcjmkmacchk"=hex:6a,61,70,6c,67,66,65,6a,62,63,61,67,61,64,6f,61,6d,63,
70,65,00,00
"hajgfmocnppholnn"=hex:6a,61,70,6c,6e,66,64,68,63,67,64,69,61,64,62,63,6d,6c,
6a,62,00,ff
"iapjlpehpapjojlhlp"=hex:63,61,63,6c,6e,65,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(956)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2009-03-17 12:24:37
ComboFix-quarantined-files.txt 2009-03-17 19:24:16
ComboFix2.txt 2009-03-17 08:55:58

Pre-Run: 6,078,603,264 bytes free
Post-Run: 6,074,781,696 bytes free

438 --- E O F --- 2009-01-15 08:09:38






Malwarebytes' Anti-Malware 1.34
Database version: 1859
Windows 5.1.2600 Service Pack 3

3/17/2009 1:46:50 PM
mbam-log-2009-03-17 (13-46-50).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 338225
Time elapsed: 1 hour(s), 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\cwxwwgtl.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\xuli.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vcar3sdu3yaj3.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:24 PM, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.audiogang.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 6810 bytes
 
You may have to get help here: http://support.microsoft.com/
Start by looking here: http://v4.windowsupdate.microsoft.com/troubleshoot/

Post for me the exact error messge "word for word"

c:\program files\Azureus <<< delete that folder in red

Let's see if we can move towards wrapping up and see what happens.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update Spyware Doctor with AntiVirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
 
in regards to the Automatic updates problem, I am no longer getting the Access Denied error message but this instead :

Service >>> Properties of Automatic Updates >>> Service type reads Automatic (Service status is stopped) >>> I click on Start and get this error:

Could not start the Automatic Updates service on Local computer
Error 2: the system cannot find the file specified

--------
I ran Spyware Doctor and Malware again. Spyware doctor found a few objects and fixed them.

Malwarebytes' Anti-Malware 1.34
Database version: 1868
Windows 5.1.2600 Service Pack 3

3/18/2009 10:54:54 PM
mbam-log-2009-03-18 (22-54-54).txt

Scan type: Quick Scan
Objects scanned: 80418
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Could not start the Automatic Updates service on Local computer Error 2: the system cannot find the file specified
Click to expand...
There is some information on Google you can look at:
http://www.google.com/search?hl=en&...he+file+specified&btnG=Google+Search&aq=f&oq=

Lot's of Google on this: Error 2: the system cannot find the file specified
http://www.google.com/search?hl=en&...+2:+the+system+cannot+find+the+file+specified
I ran Spyware Doctor and Malware again. Spyware doctor found a few objects and fixed them.
Click to expand...
I do not use Spyware Doctor, the MBAM scan looks fine.

Try this first in case a file is missing or corrupt:
http://dwightblackburn.com/winxp/

If the issue continues, my next suggestion would be to ask for help here:
http://support.microsoft.com/

Thanks
 
Status
Not open for further replies.
Back
Top