Karl`s PC Help Forums

HJT pleaseee
blue11 - 6-8-2008 at 02:02

Need help with a fake reporting program calling itself Antivirus XP 2008-- Trouble opening docs--Fake reports of 700 viruses-- occassional shutdown services-- and can not remove this program.

HJT=
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:16 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecSPAsmc.exe
C:Program FilesSymantecSPAsnac.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32driversspools.exe
C:DOCUME~1LEEPAY~1LOCALS~1Tempwinlogan.exe
C:WINDOWSsystem32rundll32.exe
C:Program Filesrhc91rj0e56grhc91rj0e56g.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32Rundll32.exe
C:WINDOWSsystem32lphcc1rj0e56g.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesBroadcomASFIPMonAsfIpMon.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:WINDOWSsystem32dlcxcoms.exe
C:WINDOWSsystem32pphcc1rj0e56g.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:Program FilesSymantecSPASmcGui.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll
O4 - HKLM..Run: [wekewfjo983mkefdd] C:DOCUME~1LEEPAY~1LOCALS~1Tempwinlogan.exe
O4 - HKLM..Run: [e052f4a8] rundll32.exe "C:WINDOWSsystem32bktlaepy.dll",b
O4 - HKLM..Run: [ntuser] C:WINDOWSsystem32driversspools.exe
O4 - HKLM..Run: [autoload] C:Documents and SettingsLee Paytoncftmon.exe
O4 - HKLM..Run: [lphcc1rj0e56g] C:WINDOWSsystem32lphcc1rj0e56g.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [UserFaultCheck] %systemroot%system32dumprep 0 -u
O4 - HKLM..Run: [SMrhc91rj0e56g] C:Program Filesrhc91rj0e56grhc91rj0e56g.exe
O4 - HKLM..Run: [BMe361c734] Rundll32.exe "C:WINDOWSsystem32souhfdkn.dll",s
O4 - HKCU..Run: [lphcc1rj0e56g] C:WINDOWSsystem32lphcc1rj0e56g.exe
O4 - HKCU..Run: [wekewfjo983mkefdd] C:DOCUME~1LEEPAY~1LOCALS~1Tempwinlogan.exe
O4 - HKCU..Run: [xrt_Shell] C:Documents and SettingsLee Paytonxrt_pfbs.exe
O4 - HKCU..Run: [Jnskdfmf9eldfd] C:DOCUME~1LEEPAY~1LOCALS~1Tempcsrssc.exe
O4 - HKCU..Run: [ntuser] C:WINDOWSsystem32driversspools.exe
O4 - HKCU..Run: [autoload] C:Documents and SettingsLee Paytoncftmon.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-18..Run: [ntuser] C:WINDOWSsystem32driversspools.exe (User 'SYSTEM')
O4 - HKUSS-1-5-18..Run: [autoload] C:Documents and SettingsLocalServicecftmon.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [ntuser] C:WINDOWSsystem32driversspools.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O17 - HKLMSystemCCSServicesTcpip..{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:Program FilesBroadcomASFIPMonAsfIpMon.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:Program FilesCommon FilesAutodesk SharedServiceAdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: dlcx_device - - C:WINDOWSsystem32dlcxcoms.exe
O23 - Service: FCI - Unknown owner - C:WINDOWSsystem32svchost.exe:exe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:WINDOWSsystem32driversspools.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:Program FilesSymantecSPAsmc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:Program FilesSymantecSPAsnac.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe

--
End of file - 9457 bytes


Pancake - 6-8-2008 at 22:42

Ok.Lets fix it.

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> http://www.bleepingcomputer.com/combofix/how-to-use-combofix A guide and tutorial on using ComboFix <====== Go here
Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:ComboFix.txt
New HijackThis log.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


blue11 - 6-8-2008 at 23:15

Im going to head up to the infected computer i'll be 5 min.

---thanks again pancake hold up


blue11 - 6-8-2008 at 23:54

It says i already have a restore saved; however i do not know where its located or to access it....I followed the same process with you for another malware scan in the past-- What should i do?


blue11 - 7-8-2008 at 00:17

I ran combofix.exe with a restore somehwere in my cpu...it cleaned some files without a combo.txt-- but i haven't ran into any problems so heres a new HJT...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:13, on 2008-08-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecSPAsmc.exe
C:Program FilesSymantecSPAsnac.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesBroadcomASFIPMonAsfIpMon.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:WINDOWSsystem32dlcxcoms.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:Program FilesSymantecSPASmcGui.exe
C:WINDOWSsystem32msiexec.exe
C:WINDOWSexplorer.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {BC9DB759-0CDB-4E49-A3EB-BEDF51C9EC48} - C:WINDOWSsystem32iifcBUmK.dll (file missing)
O2 - BHO: (no name) - {EF94F36B-384D-4008-8A5F-C9F6324B825F} - C:WINDOWSsystem32ssqqnnOH.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll
O4 - HKLM..Run: [lphcc1rj0e56g] C:WINDOWSsystem32lphcc1rj0e56g.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [BMe361c734] Rundll32.exe "C:WINDOWSsystem32souhfdkn.dll",s
O4 - HKLM..Run: [MSDisp32] rundll32.exe C:WINDOWSsystem32drvwiw.dll,startup
O4 - HKLM..Run: [e052f4a8] rundll32.exe "C:WINDOWSsystem32sonnsvdd.dll",b
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O17 - HKLMSystemCCSServicesTcpip..{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O20 - Winlogon Notify: ssqqnnOH - ssqqnnOH.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:Program FilesBroadcomASFIPMonAsfIpMon.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:Program FilesCommon FilesAutodesk SharedServiceAdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: dlcx_device - - C:WINDOWSsystem32dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:WINDOWSPSEXESVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:Program FilesSymantecSPAsmc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:Program FilesSymantecSPAsnac.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe

--
End of file - 8303 bytes


Pancake - 7-8-2008 at 01:34

Don't worry about the restore just go with Combofix and post the log.


blue11 - 7-8-2008 at 15:20

ComboFix 08-08-06.02 - Lee Payton 2008-08-06 23:11:27.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1330 [GMT -4:00]
Running from: C:Documents and SettingsLee PaytonDesktopComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:Documents and SettingsAll UsersApplication DataSecure Solutions
C:Documents and SettingsAll UsersApplication DataSecure SolutionsAntispyware 2008 XPas2008xp.exe
C:Documents and SettingsAll UsersApplication DataSecure SolutionsAntispyware 2008 XPLOG20080806193328156.log
C:Documents and SettingsLee PaytonApplication Datarhc91rj0e56g
C:Documents and SettingsLee Paytoncftmon.exe
C:Documents and SettingsLee Paytonpipilib.zip
C:Documents and SettingsLocalServicecftmon.exe
C:Program Filesrhc91rj0e56g
C:WINDOWSBMe361c734.txt
C:WINDOWSBMe361c734.xml
C:WINDOWScookies.ini
C:WINDOWSpskt.ini
C:WINDOWSsystem32349168
C:WINDOWSsystem32349168349168.dll
C:WINDOWSsystem32actskn43.ocx
C:WINDOWSsystem32bktlaepy.dll
C:WINDOWSsystem32blphcc1rj0e56g.scr
C:WINDOWSsystem32cbdzfr.dll
C:WINDOWSsystem32ddvsnnos.ini
C:WINDOWSsystem32driversspools.exe
C:WINDOWSsystem32drvwiw.dll
C:WINDOWSsystem32geBSIbab.dll
C:WINDOWSsystem32guwditbf.dll
C:WINDOWSsystem32iifcBUmK.dll
C:WINDOWSsystem32jmcereqp.dll
C:WINDOWSsystem32KmUBcfii.ini
C:WINDOWSsystem32KmUBcfii.ini2
C:WINDOWSsystem32lphcc1rj0e56g.exe
C:WINDOWSsystem32phcc1rj0e56g.bmp
C:WINDOWSsystem32pphcc1rj0e56g.exe
C:WINDOWSsystem32sonnsvdd.dll
C:WINDOWSsystem32souhfdkn.dll
C:WINDOWSsystem32ssqqnnOH.dll
C:WINDOWSsystem32winhdn32.dll
C:WINDOWSsystem32ypealtkb.ini
C:WINDOWSsystem32yutknv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------Legacy_fci


((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-06 19:33 . 2008-08-06 19:33 <DIR> d-------- C:Documents and SettingsAll UsersApplication Dataservices
2008-08-06 19:31 . 2008-08-06 19:31 2,048 --a------ C:WINDOWSsystem32ybnkpftp.exe
2008-08-06 08:44 . 2008-08-06 08:44 <DIR> d-------- C:Program FilesLavasoft
2008-08-06 08:43 . 2008-08-06 08:43 <DIR> d-------- C:Program FilesCommon FilesWise Installation Wizard
2008-08-05 19:30 . 2008-08-05 19:30 2,048 --a------ C:WINDOWSsystem32awnpmpxi.exe
2008-08-05 19:19 . 2008-08-05 19:19 40,448 --a------ C:Documents and SettingsLee Paytonxrt_pfbs.exe
2008-08-05 19:19 . 2008-08-05 19:19 2 --a------ C:-531434489
2008-08-05 19:19 . 2008-08-05 21:51 0 --a------ C:WINDOWSsystem32drivers7a4c7f08.sys
2008-08-05 18:34 . 2008-08-05 18:37 <DIR> d-------- C:Program FilesAutoCAD 2008
2008-08-05 18:34 . 2008-08-05 18:34 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataAutodesk
2008-08-05 18:34 . 2008-08-05 18:34 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataAutodesk
2008-08-05 18:33 . 2008-08-05 18:37 <DIR> d-------- C:Program FilesCommon FilesAutodesk Shared
2008-08-05 18:33 . 2008-08-05 18:33 <DIR> d-------- C:Program FilesAutodesk
2008-08-05 00:11 . 2008-08-05 00:15 <DIR> d-------- C:Program FilesRegistry Easy
2008-08-04 23:27 . 2008-08-05 19:14 <DIR> d-------- C:Program FilesUniblue
2008-08-04 23:27 . 2008-08-05 19:48 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataUniblue
2008-08-04 23:00 . 2008-08-04 23:00 <DIR> d-------- C:Program FilesCommon FilesCadsoft
2008-08-04 23:00 . 2008-08-04 23:00 <DIR> d-------- C:Program FilesCadsoft
2008-08-04 23:00 . 2008-08-04 23:00 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataCadsoft
2008-08-04 23:00 . 2008-08-04 23:00 0 --a------ C:WINDOWSsystem32_r_a_p_.tmp
2008-08-04 22:35 . 2008-08-04 23:03 <DIR> d-------- C:Program FilesRealtime Landscaping Architect Trial
2008-08-04 21:31 . 2008-08-04 21:59 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataGetRightToGo
2008-08-03 17:48 . 2008-08-03 17:48 <DIR> d-------- C:Program FilesPanicware
2008-07-23 21:23 . 2008-07-23 21:23 <DIR> d-------- C:Program FilesConnection Booster
2008-07-23 21:23 . 2003-09-05 00:17 917,504 --a------ C:WINDOWSsystem32Flash.ocx
2008-07-23 21:23 . 2004-01-09 04:54 188,416 --a------ C:WINDOWSsystem32actsplash.ocx
2008-07-23 21:23 . 2000-07-14 23:00 101,888 --a------ C:WINDOWSsystem32VB6STKIT.DLL
2008-07-14 04:48 . 2008-07-14 07:27 877,719,320 --a------ C:Program Filesafter_effectsCS3.exe
2008-07-14 03:31 . 2008-07-14 03:31 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataThinstall
2008-07-08 14:49 . 2008-07-08 14:49 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataMedia Player Classic
2008-07-08 14:47 . 2008-07-08 14:47 <DIR> d-------- C:Program FilesK-Lite Codec Pack
2008-07-08 14:23 . 2008-07-08 14:24 456,044 --a------ C:Documents and SettingsLee PaytonApplication Datasetup_CodecInstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 23:37 --------- d-----w C:Program FilesSymantec AntiVirus
2008-08-05 22:06 --------- d-----w C:Program FilesDl_cats
2008-08-05 21:28 --------- d-----w C:Program FilesPeerGuardian2
2008-08-05 21:28 --------- d-----w C:Documents and SettingsLee PaytonApplication DatauTorrent
2008-08-05 03:00 --------- d--h--w C:Program FilesInstallShield Installation Information
2008-08-05 03:00 --------- d-----w C:Program FilesCommon FilesInstallShield
2008-07-14 17:13 --------- d-----w C:Documents and SettingsLee PaytonApplication DataDownload Manager
2008-07-10 09:10 --------- d-----w C:Documents and SettingsLee PaytonApplication DataVso
2008-06-20 10:45 360,320 ----a-w C:WINDOWSsystem32driverstcpip.sys
2008-06-20 10:44 138,368 ----a-w C:WINDOWSsystem32driversafd.sys
2008-06-20 09:52 225,920 ----a-w C:WINDOWSsystem32driverstcpip6.sys
2008-06-16 21:36 --------- d-----w C:Program FilesVSO
2008-06-16 21:06 --------- d-----w C:Program FilesGoogle
2008-06-16 18:53 --------- d-----w C:Documents and SettingsAll UsersApplication Datavsosdk
2008-06-16 18:20 47,360 ----a-w C:WINDOWSsystem32driverspcouffin.sys
2008-06-16 17:57 --------- d-----w C:Documents and SettingsLee PaytonApplication DataCyberLink
2008-06-16 17:57 --------- d-----w C:Documents and SettingsAll UsersApplication DataCyberLink
2008-06-13 13:10 272,128 ------w C:WINDOWSsystem32driversbthport.sys
2006-07-20 05:42 19,153,264 ----a-w C:Documents and SettingsLee PaytonApplication Dataaaw2008.exe
.

------- Sigcheck -------

2006-01-09 14:02 662016 dde9597a3311748c1519444e2bc147bd C:WINDOWS$hf_mig$KB912945SP2QFEwininet.dll
2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:WINDOWS$hf_mig$KB931768SP2QFEwininet.dll
2007-06-26 10:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:WINDOWS$hf_mig$KB937143SP2QFEwininet.dll
2007-08-22 08:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:WINDOWS$hf_mig$KB939653SP2QFEwininet.dll
2007-10-11 01:57 666112 80d660a49e0d118144423099b2a9f5da C:WINDOWS$hf_mig$KB942615SP2QFEwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWS$hf_mig$KB942615-IE7SP2QFEwininet.dll
2007-12-06 22:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:WINDOWS$hf_mig$KB944533-IE7SP2QFEwininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:WINDOWS$hf_mig$KB947864-IE7SP2QFEwininet.dll
2008-04-22 23:35 827392 41546b396a526918da7995a02ea04e51 C:WINDOWS$hf_mig$KB950759-IE7SP2QFEwininet.dll
2007-02-20 05:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 C:WINDOWS$NtUninstallKB937143$wininet.dll
2007-06-26 10:09 658944 184e47c8f7b331025e6dc92740db188f C:WINDOWS$NtUninstallKB939653$wininet.dll
2007-08-22 09:12 658944 1901ad51da8be9f8b38d5d526e5d1788 C:WINDOWS$NtUninstallKB942615$wininet.dll
2007-10-10 19:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2GDRwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2QFEwininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32wininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32dllcachewininet.dll

2008-08-05 19:19 502272 9b1bd82bd0761b5ba986af66d2809c30 C:WINDOWSsystem32winlogon.exe

2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSexplorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:WINDOWS$hf_mig$KB938828SP2QFEexplorer.exe
2004-08-04 06:00 1032192 a0732187050030ae399b241436565e64 C:WINDOWS$NtUninstallKB938828$explorer.exe
2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSsystem32dllcacheexplorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 06:00 15360]
"PopUpStopperFreeEdition"="C:Program FilesPanicwarePop-Up Stopper Free EditionPSFree.exe" [2005-03-17 11:10 536576]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [2006-03-21 11:12 7204864]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@="Driver"

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:WINDOWSpssAdobe Reader Speed Launch.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:WINDOWSpssAdobe Reader Synchronizer.lnkCommon Startup
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregJnskdfmf9eldfd
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupreglphcc1rj0e56g
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSMrhc91rj0e56g
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregwekewfjo983mkefdd

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAcrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 C:Program FilesAdobeAcrobat 8.0Acrobatacrotray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Photo Downloader]
-ra------ 2008-03-06 14:56 61440 C:Program FilesAdobeAdobe Photoshop Lightroom 1.4apdproxy.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregccApp]
--a------ 2006-03-24 18:14 53408 C:Program FilesCommon FilesSymantec SharedccApp.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTDVDDET]
--------- 2003-06-18 02:00 45056 C:Program FilesCreativeSound Blaster X-FiDVDAudioCTDVDDET.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:WINDOWSsystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregdlcxmon.exe]
--a------ 2007-01-12 12:57 292336 C:Program FilesDell Photo AIO Printer 926dlcxmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregFaxCenterServer]
--a------ 2006-11-03 18:09 312200 C:Program FilesDell PC Faxfm3032.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregIAAnotif]
--a------ 2007-03-21 14:00 174872 C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMemoryCardManager]
--a------ 2006-11-03 18:04 304008 C:Program FilesDell Photo AIO Printer 926memcard.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
--a------ 2006-03-21 11:12 7204864 C:WINDOWSsystem32nvcpl.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPDVDDXSrv]
--------- 2006-10-20 18:23 118784 C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 C:Program FilesRoxioDrag-to-DiscDrgToDsc.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregswg]
--a------ 2007-09-01 23:02 68856 C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregUpdReg]
--------- 2000-05-11 02:00 90112 C:WINDOWSUpdreg.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVolPanel]
--------- 2005-10-14 12:01 122880 C:Program FilesCreativeSound Blaster X-FiVolume PanelVolPanel.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregvptray]
--a------ 2006-06-15 02:40 124656 C:PROGRA~1SYMANT~1VPTray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregZune Launcher]
--a------ 2008-04-29 19:56 158624 c:Program FilesZuneZuneLauncher.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTHelper]
--a------ 2005-11-08 06:30 16384 C:WINDOWSCTHELPER.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTxfiHlp]
--a------ 2006-03-01 22:00 18944 C:WINDOWSsystem32CTXFIHLP.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"gusvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
"C:\WINDOWS\system32\dlcxcoms.exe"=
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"C:\Program Files\Bonjour\mDNSResponder.exe"=
"C:\Program Files\uTorrent\uTorrent.exe"=
"C:\WINDOWS\system32\winver.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"46675:TCP"= 46675:TCP:utorrent

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 DLARTL_M;DLARTL_M;C:WINDOWSsystem32DriversDLARTL_M.SYS [2006-08-11 11:35]
R2 ASFIPmon;Broadcom ASF IP Monitor;C:Program FilesBroadcomASFIPMonAsfIpMon.exe [2006-03-17 18:25]
R2 dlcx_device;dlcx_device;C:WINDOWSsystem32dlcxcoms.exe [2006-11-03 18:07]
R2 WGX;Extend WG Protocol Driver;C:WINDOWSsystem32DriversWGX.sys [2007-08-06 15:29]
R2 zumbus;Zune Bus Enumerator Driver;C:WINDOWSsystem32DRIVERSzumbus.sys [2008-04-29 19:39]
R3 ha20x2k;Creative 20X HAL Driver;C:WINDOWSsystem32driversha20x2k.sys [2006-02-15 00:40]
S1 7a4c7f08;7a4c7f08;C:WINDOWSsystem32drivers7a4c7f08.sys [2008-08-05 21:51]
S4 SysGuard;SysGuard;C:WINDOWSsystem32DriversSysguard.sys []
S4 ZuneBusEnum;Zune Bus Enumerator;c:WINDOWSsystem32ZuneBusEnum.exe [2008-04-29 19:56]
S4 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:WINDOWSsystem32ZuneWlanCfgSvc.exe [2008-04-29 19:56]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{0538cd9a-9cad-11dc-8d99-001aa03438fe}]
ShellAutoRuncommand - F:setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:WINDOWSTasksSchedule Task Weekly.job
- C:Program FilesRegistry EasyRE.exe []

2008-08-05 C:WINDOWSTasksUniblue SpeedUpMyPC Nag.job
- C:Program FilesUniblueSpeedUpMyPC 3SpeedUpMyPC.exe []

2008-08-05 C:WINDOWSTasksUniblue SpeedUpMyPC.job
- C:Program FilesUniblueSpeedUpMyPC 3SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{BC9DB759-0CDB-4E49-A3EB-BEDF51C9EC48} - (no file)
BHO-{EF94F36B-384D-4008-8A5F-C9F6324B825F} - (no file)
ShellExecuteHooks-{EF94F36B-384D-4008-8A5F-C9F6324B825F} - (no file)
Notify-ssqqnnOH - ssqqnnOH.dll
Notify-winhdn32 - winhdn32.dll
MSConfigStartUp-BMe361c734 - C:WINDOWSsystem32souhfdkn.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Append to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O17 -: HKLMCCSInterface{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 23:14:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINESystemControlSet001Servicesvsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:Program FilesSymantecSPASmc.exe
C:Program FilesSymantecSPASNAC.EXE
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAANTmon.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:Program FilesSymantecSPASmcGui.exe
.
**************************************************************************
.
Completion time: 2008-08-06 23:18:55 - machine was rebooted [Lee Payton]
ComboFix-quarantined-files.txt 2008-08-07 03:18:22

Pre-Run: 208,431,742,976 bytes free
Post-Run: 208,240,078,848 bytes free

328 --- E O F --- 2008-07-25 08:00:29


LSemmens - 7-8-2008 at 15:26

Hi, Blue11, welcome to Karl's place. Pancake will most likely be back in tomorrow as he lives down under and it's currently the very early hours here (0100). Please be patient and he'll get back to you.


Pancake - 7-8-2008 at 22:34

Ok.Just a bit more to fix....

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:




File::
C:WINDOWSsystem32ybnkpftp.exe
C:-531434489





Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


[bad img]http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif[/bad img]

Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


=====================================


Please download Malwarebytes' Anti-Malware from one of these places:

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


blue11 - 8-8-2008 at 02:34

ComboFix 08-08-06.02 - Lee Payton 2008-08-07 10:31:12.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1562 [GMT -4:00]
Running from: C:Documents and SettingsLee PaytonDesktopComboFix.exe
Command switches used :: C:Documents and SettingsLee PaytonDesktopCFScript.txt
* Created a new restore point

FILE ::
C:-531434489
C:WINDOWSsystem32ybnkpftp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:-531434489
C:WINDOWSsystem32ybnkpftp.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-07 03:00 . 2008-08-07 03:00 <DIR> d-------- C:Program FilesMSXML 6.0
2008-08-06 19:33 . 2008-08-06 19:33 <DIR> d-------- C:Documents and SettingsAll UsersApplication Dataservices
2008-08-06 08:44 . 2008-08-06 08:44 <DIR> d-------- C:Program FilesLavasoft
2008-08-06 08:43 . 2008-08-06 08:43 <DIR> d-------- C:Program FilesCommon FilesWise Installation Wizard
2008-08-05 19:30 . 2008-08-05 19:30 2,048 --a------ C:WINDOWSsystem32awnpmpxi.exe
2008-08-05 19:19 . 2008-08-05 19:19 40,448 --a------ C:Documents and SettingsLee Paytonxrt_pfbs.exe
2008-08-05 19:19 . 2008-08-05 21:51 0 --a------ C:WINDOWSsystem32drivers7a4c7f08.sys
2008-08-05 18:34 . 2008-08-05 18:37 <DIR> d-------- C:Program FilesAutoCAD 2008
2008-08-05 18:34 . 2008-08-05 18:34 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataAutodesk
2008-08-05 18:34 . 2008-08-05 18:34 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataAutodesk
2008-08-05 18:33 . 2008-08-05 18:37 <DIR> d-------- C:Program FilesCommon FilesAutodesk Shared
2008-08-05 18:33 . 2008-08-05 18:33 <DIR> d-------- C:Program FilesAutodesk
2008-08-05 00:11 . 2008-08-05 00:15 <DIR> d-------- C:Program FilesRegistry Easy
2008-08-04 23:27 . 2008-08-05 19:14 <DIR> d-------- C:Program FilesUniblue
2008-08-04 23:27 . 2008-08-05 19:48 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataUniblue
2008-08-04 23:00 . 2008-08-04 23:00 <DIR> d-------- C:Program FilesCommon FilesCadsoft
2008-08-04 23:00 . 2008-08-04 23:00 <DIR> d-------- C:Program FilesCadsoft
2008-08-04 23:00 . 2008-08-04 23:00 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataCadsoft
2008-08-04 23:00 . 2008-08-04 23:00 0 --a------ C:WINDOWSsystem32_r_a_p_.tmp
2008-08-04 22:35 . 2008-08-04 23:03 <DIR> d-------- C:Program FilesRealtime Landscaping Architect Trial
2008-08-04 21:31 . 2008-08-04 21:59 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataGetRightToGo
2008-08-03 17:48 . 2008-08-03 17:48 <DIR> d-------- C:Program FilesPanicware
2008-07-23 21:23 . 2008-07-23 21:23 <DIR> d-------- C:Program FilesConnection Booster
2008-07-23 21:23 . 2003-09-05 00:17 917,504 --a------ C:WINDOWSsystem32Flash.ocx
2008-07-23 21:23 . 2004-01-09 04:54 188,416 --a------ C:WINDOWSsystem32actsplash.ocx
2008-07-23 21:23 . 2000-07-14 23:00 101,888 --a------ C:WINDOWSsystem32VB6STKIT.DLL
2008-07-14 04:48 . 2008-07-14 07:27 877,719,320 --a------ C:Program Filesafter_effectsCS3.exe
2008-07-14 03:31 . 2008-07-14 03:31 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataThinstall
2008-07-08 14:49 . 2008-07-08 14:49 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataMedia Player Classic
2008-07-08 14:47 . 2008-07-08 14:47 <DIR> d-------- C:Program FilesK-Lite Codec Pack
2008-07-08 14:23 . 2008-07-08 14:24 456,044 --a------ C:Documents and SettingsLee PaytonApplication Datasetup_CodecInstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 07:52 --------- d-----w C:Documents and SettingsLee PaytonApplication DatauTorrent
2008-08-05 23:37 --------- d-----w C:Program FilesSymantec AntiVirus
2008-08-05 23:19 502,272 ----a-w C:WINDOWSsystem32winlogon.exe
2008-08-05 23:19 295,424 ----a-w C:WINDOWSsystem32termsrv.dll
2008-08-05 23:19 14,336 ----a-w C:WINDOWSsystem32svchost.exe
2008-08-05 22:06 --------- d-----w C:Program FilesDl_cats
2008-08-05 21:28 --------- d-----w C:Program FilesPeerGuardian2
2008-08-05 03:00 --------- d--h--w C:Program FilesInstallShield Installation Information
2008-08-05 03:00 --------- d-----w C:Program FilesCommon FilesInstallShield
2008-07-14 17:13 --------- d-----w C:Documents and SettingsLee PaytonApplication DataDownload Manager
2008-07-10 09:10 --------- d-----w C:Documents and SettingsLee PaytonApplication DataVso
2008-07-07 04:56 5,852 --sha-w C:WINDOWSsystem32KGyGaAvL.sys
2008-06-20 17:41 245,248 ----a-w C:WINDOWSsystem32mswsock.dll
2008-06-20 17:41 245,248 ------w C:WINDOWSsystem32dllcachemswsock.dll
2008-06-20 17:41 148,992 ----a-w C:WINDOWSsystem32dllcachednsapi.dll
2008-06-20 10:45 360,320 ----a-w C:WINDOWSsystem32driverstcpip.sys
2008-06-20 10:45 360,320 ----a-w C:WINDOWSsystem32dllcachetcpip.sys
2008-06-20 10:44 138,368 ----a-w C:WINDOWSsystem32driversafd.sys
2008-06-20 10:44 138,368 ------w C:WINDOWSsystem32dllcacheafd.sys
2008-06-20 09:52 225,920 ----a-w C:WINDOWSsystem32driverstcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:WINDOWSsystem32dllcachetcpip6.sys
2008-06-16 21:36 --------- d-----w C:Program FilesVSO
2008-06-16 21:06 --------- d-----w C:Program FilesGoogle
2008-06-16 18:53 --------- d-----w C:Documents and SettingsAll UsersApplication Datavsosdk
2008-06-16 18:20 47,360 ----a-w C:WINDOWSsystem32driverspcouffin.sys
2008-06-16 17:57 --------- d-----w C:Documents and SettingsLee PaytonApplication DataCyberLink
2008-06-16 17:57 --------- d-----w C:Documents and SettingsAll UsersApplication DataCyberLink
2008-06-13 13:10 272,128 ------w C:WINDOWSsystem32driversbthport.sys
2008-06-13 13:10 272,128 ------w C:WINDOWSsystem32dllcachebthport.sys
2008-05-16 15:58 12,632 ----a-w C:WINDOWSsystem32lsdelete.exe
2008-05-08 12:28 202,752 ------w C:WINDOWSsystem32dllcachermcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:WINDOWSsystem32quartz.dll
2008-05-07 05:18 1,287,680 ------w C:WINDOWSsystem32dllcachequartz.dll
2006-07-20 05:42 19,153,264 ----a-w C:Documents and SettingsLee PaytonApplication Dataaaw2008.exe
.

------- Sigcheck -------

2006-01-09 14:02 662016 dde9597a3311748c1519444e2bc147bd C:WINDOWS$hf_mig$KB912945SP2QFEwininet.dll
2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:WINDOWS$hf_mig$KB931768SP2QFEwininet.dll
2007-06-26 10:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:WINDOWS$hf_mig$KB937143SP2QFEwininet.dll
2007-08-22 08:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:WINDOWS$hf_mig$KB939653SP2QFEwininet.dll
2007-10-11 01:57 666112 80d660a49e0d118144423099b2a9f5da C:WINDOWS$hf_mig$KB942615SP2QFEwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWS$hf_mig$KB942615-IE7SP2QFEwininet.dll
2007-12-06 22:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:WINDOWS$hf_mig$KB944533-IE7SP2QFEwininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:WINDOWS$hf_mig$KB947864-IE7SP2QFEwininet.dll
2008-04-22 23:35 827392 41546b396a526918da7995a02ea04e51 C:WINDOWS$hf_mig$KB950759-IE7SP2QFEwininet.dll
2007-02-20 05:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 C:WINDOWS$NtUninstallKB937143$wininet.dll
2007-06-26 10:09 658944 184e47c8f7b331025e6dc92740db188f C:WINDOWS$NtUninstallKB939653$wininet.dll
2007-08-22 09:12 658944 1901ad51da8be9f8b38d5d526e5d1788 C:WINDOWS$NtUninstallKB942615$wininet.dll
2007-10-10 19:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2GDRwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2QFEwininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32wininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32dllcachewininet.dll

2008-08-05 19:19 502272 9b1bd82bd0761b5ba986af66d2809c30 C:WINDOWSsystem32winlogon.exe

2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSexplorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:WINDOWS$hf_mig$KB938828SP2QFEexplorer.exe
2004-08-04 06:00 1032192 a0732187050030ae399b241436565e64 C:WINDOWS$NtUninstallKB938828$explorer.exe
2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSsystem32dllcacheexplorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 06:00 15360]
"PopUpStopperFreeEdition"="C:Program FilesPanicwarePop-Up Stopper Free EditionPSFree.exe" [2005-03-17 11:10 536576]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [2006-03-21 11:12 7204864]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@="Driver"

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:WINDOWSpssAdobe Reader Speed Launch.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:WINDOWSpssAdobe Reader Synchronizer.lnkCommon Startup
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregJnskdfmf9eldfd
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupreglphcc1rj0e56g
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSMrhc91rj0e56g
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregwekewfjo983mkefdd

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAcrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 C:Program FilesAdobeAcrobat 8.0Acrobatacrotray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Photo Downloader]
-ra------ 2008-03-06 14:56 61440 C:Program FilesAdobeAdobe Photoshop Lightroom 1.4apdproxy.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregccApp]
--a------ 2006-03-24 18:14 53408 C:Program FilesCommon FilesSymantec SharedccApp.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTDVDDET]
--------- 2003-06-18 02:00 45056 C:Program FilesCreativeSound Blaster X-FiDVDAudioCTDVDDET.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:WINDOWSsystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregdlcxmon.exe]
--a------ 2007-01-12 12:57 292336 C:Program FilesDell Photo AIO Printer 926dlcxmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregFaxCenterServer]
--a------ 2006-11-03 18:09 312200 C:Program FilesDell PC Faxfm3032.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregIAAnotif]
--a------ 2007-03-21 14:00 174872 C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMemoryCardManager]
--a------ 2006-11-03 18:04 304008 C:Program FilesDell Photo AIO Printer 926memcard.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
--a------ 2006-03-21 11:12 7204864 C:WINDOWSsystem32nvcpl.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPDVDDXSrv]
--------- 2006-10-20 18:23 118784 C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 C:Program FilesRoxioDrag-to-DiscDrgToDsc.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregswg]
--a------ 2007-09-01 23:02 68856 C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregUpdReg]
--------- 2000-05-11 02:00 90112 C:WINDOWSUpdreg.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVolPanel]
--------- 2005-10-14 12:01 122880 C:Program FilesCreativeSound Blaster X-FiVolume PanelVolPanel.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregvptray]
--a------ 2006-06-15 02:40 124656 C:PROGRA~1SYMANT~1VPTray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregZune Launcher]
--a------ 2008-04-29 19:56 158624 c:Program FilesZuneZuneLauncher.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTHelper]
--a------ 2005-11-08 06:30 16384 C:WINDOWSCTHELPER.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTxfiHlp]
--a------ 2006-03-01 22:00 18944 C:WINDOWSsystem32CTXFIHLP.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"gusvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
"C:\WINDOWS\system32\dlcxcoms.exe"=
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"C:\Program Files\Bonjour\mDNSResponder.exe"=
"C:\Program Files\uTorrent\uTorrent.exe"=
"C:\WINDOWS\system32\winver.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"46675:TCP"= 46675:TCP:utorrent

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 DLARTL_M;DLARTL_M;C:WINDOWSsystem32DriversDLARTL_M.SYS [2006-08-11 11:35]
R2 ASFIPmon;Broadcom ASF IP Monitor;C:Program FilesBroadcomASFIPMonAsfIpMon.exe [2006-03-17 18:25]
R2 dlcx_device;dlcx_device;C:WINDOWSsystem32dlcxcoms.exe [2006-11-03 18:07]
R2 WGX;Extend WG Protocol Driver;C:WINDOWSsystem32DriversWGX.sys [2007-08-06 15:29]
R2 zumbus;Zune Bus Enumerator Driver;C:WINDOWSsystem32DRIVERSzumbus.sys [2008-04-29 19:39]
R3 ha20x2k;Creative 20X HAL Driver;C:WINDOWSsystem32driversha20x2k.sys [2006-02-15 00:40]
S1 7a4c7f08;7a4c7f08;C:WINDOWSsystem32drivers7a4c7f08.sys [2008-08-05 21:51]
S4 SysGuard;SysGuard;C:WINDOWSsystem32DriversSysguard.sys []
S4 ZuneBusEnum;Zune Bus Enumerator;c:WINDOWSsystem32ZuneBusEnum.exe [2008-04-29 19:56]
S4 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:WINDOWSsystem32ZuneWlanCfgSvc.exe [2008-04-29 19:56]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{0538cd9a-9cad-11dc-8d99-001aa03438fe}]
ShellAutoRuncommand - F:setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:WINDOWSTasksSchedule Task Weekly.job
- C:Program FilesRegistry EasyRE.exe []

2008-08-05 C:WINDOWSTasksUniblue SpeedUpMyPC Nag.job
- C:Program FilesUniblueSpeedUpMyPC 3SpeedUpMyPC.exe []

2008-08-05 C:WINDOWSTasksUniblue SpeedUpMyPC.job
- C:Program FilesUniblueSpeedUpMyPC 3SpeedUpMyPC.exe []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 10:32:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINEsystemControlSet001Servicesvsdatant]
"ImagePath"=""
.
Completion time: 2008-08-07 10:32:36
ComboFix-quarantined-files.txt 2008-08-07 14:32:32
ComboFix2.txt 2008-08-07 03:18:56

Pre-Run: 207,780,339,712 bytes free
Post-Run: 207,769,366,528 bytes free

267 --- E O F --- 2008-08-07 07:00:22


blue11 - 8-8-2008 at 02:34

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:35 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecSPAsmc.exe
C:Program FilesSymantecSPAsnac.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesBroadcomASFIPMonAsfIpMon.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:WINDOWSsystem32dlcxcoms.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesPanicwarePop-Up Stopper Free EditionPSFree.exe
C:Program FilesSymantecSPASmcGui.exe
C:WINDOWSexplorer.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Program Filesinternet exploreriexplore.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [PopUpStopperFreeEdition] "C:Program FilesPanicwarePop-Up Stopper Free EditionPSFree.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O17 - HKLMSystemCCSServicesTcpip..{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:Program FilesBroadcomASFIPMonAsfIpMon.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:Program FilesCommon FilesAutodesk SharedServiceAdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: dlcx_device - - C:WINDOWSsystem32dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:Program FilesSymantecSPAsmc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:Program FilesSymantecSPAsnac.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe

--
End of file - 7794 bytes


blue11 - 8-8-2008 at 02:43

Malwarebytes' Anti-Malware 1.24
Database version: 1031
Windows 5.1.2600 Service Pack 2

10:42:41 AM 8/7/2008
mbam-log-8-7-2008 (10-42-41).txt

Scan type: Quick Scan
Objects scanned: 40414
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftDataDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionxrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:WINDOWSsystem32awnpmpxi.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:Documents and SettingsLee PaytonApplication DataMicrosoftInternet ExplorerQuick LaunchAntivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:Documents and SettingsAll UsersApplication Dataservicesservices.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:Documents and SettingsLee Paytonxrt_pfbs.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:WINDOWSsystem32winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


blue11 - 8-8-2008 at 02:44

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:05 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecSPAsmc.exe
C:Program FilesSymantecSPAsnac.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesBroadcomASFIPMonAsfIpMon.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:WINDOWSsystem32dlcxcoms.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesPanicwarePop-Up Stopper Free EditionPSFree.exe
C:Program FilesSymantecSPASmcGui.exe
C:WINDOWSexplorer.exe
C:WINDOWSsystem32msiexec.exe
C:Program Filesinternet exploreriexplore.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [PopUpStopperFreeEdition] "C:Program FilesPanicwarePop-Up Stopper Free EditionPSFree.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O17 - HKLMSystemCCSServicesTcpip..{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:Program FilesBroadcomASFIPMonAsfIpMon.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:Program FilesCommon FilesAutodesk SharedServiceAdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: dlcx_device - - C:WINDOWSsystem32dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:Program FilesSymantecSPAsmc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:Program FilesSymantecSPAsnac.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe

--
End of file - 7774 bytes


blue11 - 8-8-2008 at 02:47

Down under huh LSEM-- that'll do it... its ok im in no rush hes doing me favors

beggers cant be choosers

unless the chooser is actually the begger
shocked_yellow


Pancake - 8-8-2008 at 02:52

That all looks fine now so you should be fine..

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below into the box and click OK.



ComboFix /u

[img] http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png[/img]



=============================



Now that you are clean here are a few things that you can do that will help keep your computer a bit more clean and secure..they can be done at your leisure.

Download and scan with CCleaner from http://www.ccleaner.com/downloadbuilds.asp

1. Starting with v1.27.260, http://www.ccleaner.com/downloadbuilds.asp installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.


=========================================

Is your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version if required.

Before installing go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then install the newest version.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u7 (http://java.sun.com/javase/downloads/index.jsp).



==============================================

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.




========================================================

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the bad webpages, but the webpages cannot do certain things (such as use javascripts and cookies).

Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)

Hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok



Keep Anti Virus Software updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here (http://www.snapfiles.com/Freeware/security/fwvirus.html) to choose one.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
Here (http://www.snapfiles.com/Freeware/security/fwfirewall.html) are some Vista compatible firewalls also.



Know What You're Installing
Check the source.
To avoid malware, make sure your software comes from a reputable source. Be particularly suspicious of sponsored software (software that relies on advertising) or software that claims to speed up your Internet connection.

Use Custom Install.
If you feel comfortable with software installation, you can choose Custom Install (as opposed to Typical Install). Custom Install allows you to select only the software components you wish to install, and leave out others (such as potential spyware).

Modify Security Settings (Internet Explorer 6)
To reduce the risk of installing malware, you can set Internet Explorer to high security mode. To do so:

Open Internet Explorer. Go to Tools > Internet Options.
On the Internet Options screen, select the Security tab, then select the Internet icon (if it is not already selected).
Under Security level for this zone, click Default Level. Set the slider to High.
Note: You may have to lower the security level to view certain Web sites.
Next, select the Trusted Sites icon. Under Security level for this zone, click Default Level. Set the slider to Medium.
Click Apply, then OK to save the changes.


Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link:

http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs:

http://www.spywarewarrior.com/asw-test-guide.htm



[color=red]Let us know if we have not resolved your problem. Otherwise, you are good to go. You can also help us to keep going by offering a smalldonation.No matter how small,it all helps....Thankyou.[/color]

Happy and Safe Surfing!

Pancake (aka) Eddy


blue11 - 12-8-2008 at 22:37

Everyhting looks great i appreciate it-- currently just have problems with display drivers and laggy scrolling and dragging actions. Annoying! I posted a thread in PC help...

Late

L:P


Pancake - 13-8-2008 at 22:45

Ok.Glad its working.