Smithfraud-C CoreService Trojan

[mystyflwr]

Please help me. I can't seem to get rid of this infection. Your help is greatly appreciated.

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:58, on 2007-12-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mmlweb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {02e7ee48-9259-44e1-b2e6-2c7e230c7be2} - C:\WINDOWS\system32\fiysrtl.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: {d6c04a8a-3fd1-7e4a-9d44-a63975d74fa9} - {9af47d57-936a-44d9-a4e7-1df3a8a40c6d} - C:\WINDOWS\system32\suhkasmr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BA52D46B-0209-40DF-8E17-015B090BCBDC} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195060347187
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tsm.tektegrity.com/inc/kaxRemote.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\Software\..\Telephony: DomainName = SurgCenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0C18CD-2069-47C8-86C5-827E4183EC34}: NameServer = 192.168.1.20,216.111.116.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SurgCenter.local
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: cbxvwvu - cbxvwvu.dll (file missing)
O20 - Winlogon Notify: coytxylu - coytxylu.dll (file missing)
O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TekTegrity Agent (KaseyaAgent) - Kaseya - c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 12106 bytes

 

[Shaba]

Hi mystyflwr

1. Download combofix from one of these links and save it to Desktop:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

 

[mystyflwr]

I tried to post the ComboFix log, but it says that the text you have entered is too long (71136 characters). How should I post it?

 

[Shaba]

Hi

Split it into multiple replies, please

 

[mystyflwr]

Here is a new HijackThis log. Sorry it took so long.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:27, on 2007-12-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mmlweb.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {02e7ee48-9259-44e1-b2e6-2c7e230c7be2} - C:\WINDOWS\system32\fiysrtl.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: {d6c04a8a-3fd1-7e4a-9d44-a63975d74fa9} - {9af47d57-936a-44d9-a4e7-1df3a8a40c6d} - C:\WINDOWS\system32\suhkasmr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BA52D46B-0209-40DF-8E17-015B090BCBDC} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195060347187
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tsm.tektegrity.com/inc/kaxRemote.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\Software\..\Telephony: DomainName = SurgCenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0C18CD-2069-47C8-86C5-827E4183EC34}: NameServer = 192.168.1.20,216.111.116.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SurgCenter.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: cbxvwvu - cbxvwvu.dll (file missing)
O20 - Winlogon Notify: coytxylu - coytxylu.dll (file missing)
O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TekTegrity Agent (KaseyaAgent) - Kaseya - c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 11340 bytes

 

[mystyflwr]

ComboFix part 1



ComboFix 07-12-12.3 - ofoor 2007-12-11 15:04:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.122 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Local Settings\Temporary Internet Files\Content.IE5\T6OC9S7R\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 13:31 . 2007-11-20 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 13:24 . 2007-11-20 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 10:54 . 2007-11-19 10:54 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2007-11-19 10:53 . 2007-11-19 12:33 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-11-15 10:14 . 2007-11-15 10:14 <DIR> d-------- C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 13:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 12:19 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 12:18 . 2007-11-14 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\tektegrity
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\Program Files\RealVNC
2007-11-14 10:32 . 2007-11-14 10:32 82,432 --a------ C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 10:32 . 2007-11-14 10:32 44,544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 10:23 . 2007-11-14 10:23 <DIR> d-------- C:\Program Files\Tektegrity
2007-11-14 10:23 . 2007-05-18 19:23 122,880 --a------ C:\WINDOWS\SYSTEM32\kaseyasp.dll
2007-11-14 10:23 . 2007-05-11 09:31 13,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaPFA.sys
2007-11-14 10:23 . 2006-12-28 09:57 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaseyaHA.sys
2007-11-14 08:59 . 2007-11-14 08:59 <DIR> d-------- C:\dd9b114365e7e356e3a9a7956efd
2007-11-13 08:28 . 2007-11-13 08:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-13 08:28 . 2007-11-13 08:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 23:15 3,452,960 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-12 23:12 41,492 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))

 

[mystyflwr]

ComboFix part 2


.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 15:16:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 15:22:13 - machine was rebooted
.
2007-11-14 17:21:55 --- E O F ---

 

[Shaba]

Hi

Problem is that you are running Combofix from temp folder.

Save it to desktop, run it from there and post back a fresh combofix log, please

 

[mystyflwr]

I'm so sorry. I'm a dork. Here it is saved to my desktop.

ComboFix 07-12-12.3 - ofoor 2007-12-12 14:31:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Local Settings\Temporary Internet Files\Content.IE5\T6OC9S7R\ComboFix[1].exe
.

((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 13:31 . 2007-11-20 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 13:24 . 2007-11-20 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 10:54 . 2007-11-19 10:54 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2007-11-19 10:53 . 2007-11-19 12:33 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-11-15 10:14 . 2007-11-15 10:14 <DIR> d-------- C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 13:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 12:19 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 12:18 . 2007-11-14 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\tektegrity
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\Program Files\RealVNC
2007-11-14 10:32 . 2007-11-14 10:32 82,432 --a------ C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 10:32 . 2007-11-14 10:32 44,544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 10:23 . 2007-11-14 10:23 <DIR> d-------- C:\Program Files\Tektegrity
2007-11-14 10:23 . 2007-05-18 19:23 122,880 --a------ C:\WINDOWS\SYSTEM32\kaseyasp.dll
2007-11-14 10:23 . 2007-05-11 09:31 13,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaPFA.sys
2007-11-14 10:23 . 2006-12-28 09:57 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaseyaHA.sys
2007-11-14 08:59 . 2007-11-14 08:59 <DIR> d-------- C:\dd9b114365e7e356e3a9a7956efd
2007-11-13 08:28 . 2007-11-13 08:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-13 08:28 . 2007-11-13 08:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 14:45 1,368,052 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-12 23:37 41,684 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-12 22:37 3,522,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:43 25,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mslbui.dll
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 14:37:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 14:41:12
C:\ComboFix2.txt ... 2007-12-12 15:22
.
2007-11-14 17:21:55 --- E O F ---

 

[Shaba]

Hi

No, unfortunately it's not, still running from IE temp folder:

Running from: C:\Documents and Settings\ofoor\Local Settings\Temporary Internet Files\Content.IE5\T6OC9S7R\ComboFix[1].exe

1. Right-click this link
2. Choose save as or save target as (depends on your browser).
3. Save it to your desktop
4. Run combofix
5. Post a fresh combofix log.

 

[mystyflwr]

ComboFix 07-12-12.3 - ofoor 2007-12-13 14:28:43.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 13:31 . 2007-11-20 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 13:24 . 2007-11-20 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 10:54 . 2007-11-19 10:54 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2007-11-19 10:53 . 2007-11-19 12:33 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-11-15 10:14 . 2007-11-15 10:14 <DIR> d-------- C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 13:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 12:19 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 12:18 . 2007-11-14 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\tektegrity
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\Program Files\RealVNC
2007-11-14 10:32 . 2007-11-14 10:32 82,432 --a------ C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 10:32 . 2007-11-14 10:32 44,544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 10:23 . 2007-11-14 10:23 <DIR> d-------- C:\Program Files\Tektegrity
2007-11-14 10:23 . 2007-05-18 19:23 122,880 --a------ C:\WINDOWS\SYSTEM32\kaseyasp.dll
2007-11-14 10:23 . 2007-05-11 09:31 13,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaPFA.sys
2007-11-14 10:23 . 2006-12-28 09:57 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaseyaHA.sys
2007-11-14 08:59 . 2007-11-14 08:59 <DIR> d-------- C:\dd9b114365e7e356e3a9a7956efd
2007-11-13 08:28 . 2007-11-13 08:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-13 08:28 . 2007-11-13 08:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 22:34 3,641,376 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-13 14:45 1,368,052 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-12 23:31 42,452 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:43 25,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mslbui.dll
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - KAPFA
*Newly Created Service* - KASEYAAVSERVICE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 14:35:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 14:38:30
C:\ComboFix2.txt ... 2007-12-12 14:41
C:\ComboFix3.txt ... 2007-12-12 15:22
.
2007-11-14 17:21:55 --- E O F ---

 

[Shaba]

Hi

Good, now it's in permanent place

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\ppqss.bak2
C:\WINDOWS\SYSTEM32\ppqss.bak1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[mystyflwr]

Hope I did this right.

ComboFix 07-12-12.3 - ofoor 2007-12-14 15:04:17.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ofoor\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 13:31 . 2007-11-20 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 13:24 . 2007-11-20 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 10:54 . 2007-11-19 10:54 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2007-11-19 10:53 . 2007-11-19 12:33 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-11-15 10:14 . 2007-11-15 10:14 <DIR> d-------- C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 13:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 12:19 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 12:18 . 2007-11-14 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\tektegrity
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\Program Files\RealVNC
2007-11-14 10:32 . 2007-11-14 10:32 82,432 --a------ C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 10:32 . 2007-11-14 10:32 44,544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 10:23 . 2007-11-14 10:23 <DIR> d-------- C:\Program Files\Tektegrity
2007-11-14 10:23 . 2007-05-18 19:23 122,880 --a------ C:\WINDOWS\SYSTEM32\kaseyasp.dll
2007-11-14 10:23 . 2007-05-11 09:31 13,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaPFA.sys
2007-11-14 10:23 . 2006-12-28 09:57 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaseyaHA.sys
2007-11-14 08:59 . 2007-11-14 08:59 <DIR> d-------- C:\dd9b114365e7e356e3a9a7956efd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 23:09 3,713,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-13 23:31 43,868 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-13 14:45 1,368,052 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:43 25,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mslbui.dll
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - KASEYAAVSERVICE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 15:10:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-14 15:13:45
C:\ComboFix2.txt ... 2007-12-13 14:38
C:\ComboFix3.txt ... 2007-12-12 14:41
.
2007-11-14 17:21:55 --- E O F ---

 

[mystyflwr]

HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:19, on 2007-12-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\mmlweb.exe
c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {02e7ee48-9259-44e1-b2e6-2c7e230c7be2} - C:\WINDOWS\system32\fiysrtl.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: {d6c04a8a-3fd1-7e4a-9d44-a63975d74fa9} - {9af47d57-936a-44d9-a4e7-1df3a8a40c6d} - C:\WINDOWS\system32\suhkasmr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BA52D46B-0209-40DF-8E17-015B090BCBDC} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195060347187
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tsm.tektegrity.com/inc/kaxRemote.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\Software\..\Telephony: DomainName = SurgCenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0C18CD-2069-47C8-86C5-827E4183EC34}: NameServer = 192.168.1.20,216.111.116.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SurgCenter.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: cbxvwvu - cbxvwvu.dll (file missing)
O20 - Winlogon Notify: coytxylu - coytxylu.dll (file missing)
O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TekTegrity Agent (KaseyaAgent) - Kaseya - c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 11394 bytes

 

[Shaba]

Hi

Did you copy/paste everything in quotebox to CFScript.txt?

 

[mystyflwr]

I guess i didn't. I will try again. Please understand, I'm a novice to this stuff.

 

[mystyflwr]

is this what is is suppose to look like?

C:\WINDOWS\SYSTEM32\ppqss.bak2
C:\WINDOWS\SYSTEM32\ppqss.bak1
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

 

[Shaba]

Hi

1. Open Notepad.

2. Copy/paste all text below into Notepad:

File::
C:\WINDOWS\SYSTEM32\ppqss.bak2
C:\WINDOWS\SYSTEM32\ppqss.bak1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]

3. Save file as CFScript to Desktop.

4. Drag and drop CFScript to Combofix as in picture above.

If still problems, please ask

 

[mystyflwr]

Copied and pasted

ComboFix 07-12-12.3 - ofoor 2007-12-21 14:35:03.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.132 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ofoor\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 22:40 4,124,704 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-20 23:32 48,020 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-13 14:45 1,368,052 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-20 21:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 20:33 --------- d-----w C:\Program Files\The Cleaner Free
2007-11-19 18:54 5,376 ----a-w C:\WINDOWS\system32\drivers\MS1000.sys
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-15 18:14 --------- d-----w C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-14 21:55 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 20:19 9,216 ----a-w C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 18:32 82,432 ----a-w C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 18:32 44,544 ----a-w C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 18:32 --------- d-----w C:\Program Files\RealVNC
2007-11-14 18:23 --------- d-----w C:\Program Files\Tektegrity
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:43 25,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mslbui.dll
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
- 2007-11-14 20:19:29 3,968 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
+ 2007-12-20 15:02:14 10,760 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
- 2007-11-14 20:38:19 19,904 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2007-12-20 15:01:54 26,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 14:40:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-21 14:42:34
C:\ComboFix2.txt ... 2007-12-14 15:13
C:\ComboFix3.txt ... 2007-12-13 14:38
.
2007-11-14 17:21:55 --- E O F ---

 

[mystyflwr]

Here is a new HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:06, on 2007-12-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\mmlweb.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {02e7ee48-9259-44e1-b2e6-2c7e230c7be2} - C:\WINDOWS\system32\fiysrtl.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: {d6c04a8a-3fd1-7e4a-9d44-a63975d74fa9} - {9af47d57-936a-44d9-a4e7-1df3a8a40c6d} - C:\WINDOWS\system32\suhkasmr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BA52D46B-0209-40DF-8E17-015B090BCBDC} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1336872296-958668538-1425031988-1008\..\Run: [Sonic RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-1336872296-958668538-1425031988-1008\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1336872296-958668538-1425031988-1008\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-839522115-1129\..\Run: [Sonic RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-839522115-1607\..\Run: [Sonic RecordNow!] (User '?')
O4 - S-1-5-21-1336872296-958668538-1425031988-1008 Startup: Shortcut to MAP F.lnk = C:\MAP F.BAT (User '?')
O4 - S-1-5-21-790525478-688789844-839522115-1129 Startup: CPWin.lnk = cpwin\CPWin.exe (User '?')
O4 - S-1-5-21-790525478-688789844-839522115-1129 Startup: PowerReg Scheduler V3.exe (User '?')
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195060347187
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tsm.tektegrity.com/inc/kaxRemote.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\Software\..\Telephony: DomainName = SurgCenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0C18CD-2069-47C8-86C5-827E4183EC34}: NameServer = 192.168.1.20,216.111.116.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SurgCenter.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: cbxvwvu - cbxvwvu.dll (file missing)
O20 - Winlogon Notify: coytxylu - coytxylu.dll (file missing)
O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TekTegrity Agent (KaseyaAgent) - Kaseya - c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 12166 bytes