Have the dreaded uacinit.dll virus and Malwarebytes cant seem to remove it. Any help would be much appreciated. I am going to change all passwords and everything but would like to remove it from the computer instead of having to do a format. Avira AntiVir Personal doesnt seem to remove it either.
Here is the malware bytes log.
Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 6.0.6001 Service Pack 1
21/05/2009 7:55:41 PM
mbam-log-2009-05-21 (19-55-41).txt
Scan type: Quick Scan
Objects scanned: 77964
Time elapsed: 6 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
HIJACK THIS LOG FILE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:44 PM, on 21/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Windows\vVX6000.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mb.exe" /runcleanupscript
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [wanenoguka] Rundll32.exe "C:\Windows\system32\diwajame.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.celartem.com/en/download/data/d...ntrol_en_US.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-ca.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O20 - AppInit_DLLs: C:\Windows\ C:\Windows\system32\wosepobe.dll c:\windows\system32\bahegatu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbx_device - - C:\Windows\system32\dlbxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10814 bytes
Full Version: uacinit.dll Removal Help
Hi. 
Download ComboFix from one of the locations below, and save it to your Desktop.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall
Download ComboFix from one of the locations below, and save it to your Desktop.
Link 1Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
Link 2
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall
I cant get combofix to run is there something else i can try?
I had it installed earlier.
I had it installed earlier.
Delete your current copy of it.
Download it again but save it as fixfix.exe and see if it will run.
Download it again but save it as fixfix.exe and see if it will run.
combo fix log
ComboFix 09-05-21.01 - Loanna 21/05/2009 22:16.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.2.1033.18.893.410 [GMT -4:00]
Running from: c:\users\Loanna\Desktop\FixFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\SAV
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\UACuyxejicvcrbbpuj.sys
c:\windows\system32\fomowipi.dll
c:\windows\system32\UACcofiyletloomypg.log
c:\windows\system32\UACcvxcvnqisbbyqla.dll
c:\windows\system32\UACdcetpexyeptvxop.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClttnnmitruvvprg.dll
c:\windows\system32\UACqierfbdivftjryn.dll
c:\windows\system32\UACrucrrqnddhtoiws.dat
c:\windows\system32\UACwspsmmjegcrotvq.log
c:\windows\system32\UACxflsktqeldsjsvn.dll
c:\windows\system32\UACxxomxfbruwufiop.log
----- BITS: Possible infected sites -----
hxxp://softwaredownloadcentercom.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.
2009-05-22 02:24 . 2009-05-22 02:29 -------- d-----w c:\users\Loanna\AppData\Local\temp
2009-05-22 02:24 . 2009-05-22 02:24 -------- d-----w c:\users\Pete\AppData\Local\temp
2009-05-21 23:11 . 2009-05-21 23:11 -------- d-----w c:\program files\Trend Micro
2009-05-21 23:06 . 2009-05-21 23:06 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-21 22:48 . 2009-05-21 23:00 -------- d-----w c:\programdata\NOS
2009-05-21 22:48 . 2009-05-21 22:48 -------- d-----w c:\program files\NOS
2009-05-21 22:40 . 2009-05-21 22:41 -------- d-----w C:\aaaa
2009-05-21 21:19 . 2009-05-21 21:19 -------- d-----w c:\users\Loanna\AppData\Roaming\Malwarebytes
2009-05-21 00:28 . 2009-03-30 14:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-21 00:28 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-21 00:27 . 2009-05-21 00:27 -------- d-----w c:\programdata\Avira
2009-05-21 00:27 . 2009-05-21 00:27 -------- d-----w c:\program files\Avira
2009-05-21 00:03 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-21 00:03 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 00:03 . 2009-05-21 21:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 22:25 . 2009-05-20 23:13 -------- d-----w c:\programdata\Yahoo!
2009-05-19 21:42 . 2009-05-19 21:43 -------- d-----w c:\users\Loanna\AppData\Local\CutePDF Writer
2009-05-19 21:41 . 2009-05-19 21:41 -------- d-----w c:\program files\GPLGS
2009-05-19 21:40 . 2007-07-13 02:33 87552 ----a-w c:\windows\system32\cpwmon2k.dll
2009-05-19 21:40 . 2009-05-19 21:40 -------- d-----w c:\program files\Acro Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 23:05 . 2006-12-08 21:35 -------- d-----w c:\program files\Common Files\Adobe
2009-05-21 22:44 . 2008-09-11 00:16 -------- d-----w c:\program files\LizardTech
2009-05-20 00:49 . 2008-11-12 21:19 -------- d-----w c:\program files\Dl_cats
2009-05-11 21:07 . 2008-12-14 16:14 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-20 21:20 . 2008-12-18 22:56 1032 ----a-w c:\users\Loanna\AppData\Roaming\wklnhst.dat
2009-03-30 23:32 . 2007-10-09 10:31 120648 ----a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-30 23:26 . 2008-08-21 04:59 -------- d-----w c:\programdata\Microsoft Help
2007-09-16 06:35 . 2007-09-22 04:28 66408 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-09-16 06:35 . 2007-09-22 04:28 54112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-09-16 06:35 . 2007-09-22 04:28 34688 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-09-16 06:35 . 2007-09-22 04:28 46456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-09-16 06:35 . 2007-09-22 04:28 171880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-08 155648]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-12 411768]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-11 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-11 530552]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2007-02-28 435696]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX6000"="c:\windows\vVX6000.exe" [2007-04-10 996712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-07 3772416]
"NDSTray.exe"="NDSTray.exe" [BU]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"AntiVirusDisableNotify"="0"
"UpdatesDisableNotify"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5A1039BD-F032-47A5-94E6-DA7BF796CC34}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{25E60626-82EA-4097-8860-EB688BFAB22B}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{B589D34C-71D1-4084-A211-57B85EE3EB38}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E1A0632E-127E-443B-815F-6DC5D9404944}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{28E328C4-4472-4136-A61D-FC78451C1D0F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{90C0FEB7-846E-4D98-9C61-C642B7172A05}"= UDP:c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe:Device Monitor
"{62844E8E-FF69-4887-9D13-6FA366650CC8}"= TCP:c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe:Device Monitor
"{1012589B-7F29-4132-AEC4-E489C6802B87}"= UDP:c:\program files\Dell Photo AIO Printer 962\dlbxaiox.exe:All In One Center
"{34CD6DEA-6DF8-4CC1-8196-3FF47B3DEB3A}"= TCP:c:\program files\Dell Photo AIO Printer 962\dlbxaiox.exe:All In One Center
"{4FE71971-6C61-415F-AECF-C52D4DDA7CD2}"= Disabled:UDP:135:TCP Port 135
"{61EE6D80-CA33-4E86-BEE8-728643D46FDF}"= Disabled:UDP:5000:TCP Port 5000
"{8D066226-A1DA-4D51-937B-C4E3BBCB348D}"= Disabled:UDP:5001:TCP Port 5001
"{9E9633D5-9104-4232-9BD1-E7F05B6D5F77}"= Disabled:UDP:5002:TCP Port 5002
"{7E9089E1-7933-41DD-ABE6-2F8B652CBC82}"= Disabled:UDP:5003:TCP Port 5003
"{71921C0C-98EF-4187-AC08-86327792D875}"= Disabled:UDP:5004:TCP Port 5004
"{DA84D525-87C9-422D-8A1A-AB83057C3B42}"= Disabled:UDP:5005:TCP Port 5005
"{F05B3C09-5AAC-4066-821A-C08CF3FBF485}"= Disabled:UDP:5006:TCP Port 5006
"{C64C2212-0A2E-4C63-9DFD-BD0C6A675EA9}"= Disabled:UDP:5007:TCP Port 5007
"{284E3BEF-31F0-474B-9E33-F1293D4B6F6A}"= Disabled:UDP:5008:TCP Port 5008
"{E0EEE029-1E09-4033-A357-0C5E8F4C1A86}"= Disabled:UDP:5009:TCP Port 5009
"{204D425E-AF1F-417F-9968-22FB77E0C264}"= Disabled:UDP:5010:TCP Port 5010
"{87C2A513-1503-466D-B1B4-EF52A11217A9}"= Disabled:UDP:5011:TCP Port 5011
"{47EDE319-6BA2-4B6F-AAA8-5D66164D925F}"= Disabled:UDP:5012:TCP Port 5012
"{CC861C24-0552-461B-9269-9117BE183167}"= Disabled:UDP:5013:TCP Port 5013
"{41F57F82-A086-4B50-A3E0-8E522B6F2DA4}"= Disabled:UDP:5014:TCP Port 5014
"{F905129E-3208-44D2-A112-826279F33A0C}"= Disabled:UDP:5015:TCP Port 5015
"{0A1A265F-F938-4650-BB98-054BED003D2F}"= Disabled:UDP:5016:TCP Port 5016
"{CD81DAA5-9FD3-44E1-B2B0-80FB860AF82A}"= Disabled:UDP:5017:TCP Port 5017
"{1D632427-21EF-4C8A-A473-3973145299D6}"= Disabled:UDP:5018:TCP Port 5018
"{F56E94E0-56F1-4C45-82EC-9025EFFF7CE0}"= Disabled:UDP:5019:TCP Port 5019
"{37C9015A-D9C2-4ADC-A989-5C4E36C66E4C}"= Disabled:UDP:5020:TCP Port 5020
"{75733ABF-8429-4F04-A9FA-C9B702D5C44C}"= UDP:c:\windows\System32\dlbxcoms.exe:Dell 962 Server
"{AEF8BDE9-3D7A-4674-AFC7-9AF1A877F8EE}"= TCP:c:\windows\System32\dlbxcoms.exe:Dell 962 Server
"{849A47A4-62F3-4716-A94D-57DFD97CA6A1}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\dlbxpswx.exe:Dell 962 Printer Status
"{4E72EBDB-D4D2-4169-B204-9D6AB9D31E50}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\dlbxpswx.exe:Dell 962 Printer Status
"{99C0D64D-D6E9-4E97-A0FE-BA00D2316B03}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8D388829-0F52-4B3D-BC04-962BC5113085}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{EDEE7CFC-667E-4072-A0A0-5CBF9AC4F592}c:\\program files\\microsoft games\\age of empires ii\\age2_x1\\age2_x1.exe"= UDP:c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
"UDP Query User{340BEA5A-FFB7-4619-9622-8423B086F3A4}c:\\program files\\microsoft games\\age of empires ii\\age2_x1\\age2_x1.exe"= TCP:c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
"{6BE7F292-F882-4B99-BF80-F0863BAEBBD8}"= UDP:c:\program files\Internet Explorer\iexplore.exe:iexplore
"{C0257DB6-5AFD-4C0F-9E9F-9BA4AF5FC913}"= UDP:c:\program files\Internet Explorer\iexplore.exe:iexplore
"{51335F02-2044-4217-B036-FB01E6EEDD95}"= TCP:c:\program files\Internet Explorer\iexplore.exe:iexplore
"{A580D70C-CC0B-4E8B-930B-8E887798AA32}"= TCP:c:\program files\Internet Explorer\iexplore.exe:iexplore
"{FB9AE91A-BB03-42D7-BDA5-F61B67B43D7F}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{2BAE3F48-16AE-43ED-B103-8CEA8EF755D3}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{1AA165BC-C691-4AE5-8496-54912DF0B97E}"= UDP:c:\windows\System32\rundll32.exe:rundll32
"{2A5DF2C4-2DB8-498C-929B-732F9C275FFE}"= UDP:c:\windows\System32\rundll32.exe:rundll32
"{4AA7614B-8EF5-4EF4-9ACD-1FB8332F387E}"= TCP:c:\windows\System32\rundll32.exe:rundll32
"{AF35CD4C-52D8-4151-B9D6-7D4ABBB119C4}"= TCP:c:\windows\System32\rundll32.exe:rundll32
"{7785894D-85F0-4082-8734-3D6C0C4E9FB8}"= UDP:c:\windows\System32\dllhost.exe:DllHost
"{267F0317-1F7E-4834-8D82-255E36DA938F}"= UDP:c:\windows\System32\dllhost.exe:DllHost
"{2886791E-0D9D-464A-B809-385E1D78D499}"= TCP:c:\windows\System32\dllhost.exe:DllHost
"{92025D20-B185-449A-B319-AB82346F70AF}"= TCP:c:\windows\System32\dllhost.exe:DllHost
"{7E2A32B5-96C7-4106-87A3-61042FBBB14D}"= UDP:c:\windows\explorer.exe:Explorer
"{AB673329-FC57-47FA-AB5D-86EF3E617BD2}"= TCP:c:\windows\explorer.exe:Explorer
"{56D52238-DADF-492F-A748-0A664A45BDA7}"= UDP:c:\program files\TwonkyMedia\twonkymediaserverwatchdog.exe:TwonkyMedia
"{F2203DE6-2FB1-4D1E-B2AC-D842329F1610}"= TCP:c:\program files\TwonkyMedia\twonkymediaserverwatchdog.exe:TwonkyMedia
"{707437ED-4A18-4CAD-8676-D56F4A085E7B}"= UDP:c:\program files\TwonkyMedia\twonkymediaserver.exe:TwonkyMediaServer
"{F389730C-5F31-4EED-9345-D3AEB2FB913A}"= TCP:c:\program files\TwonkyMedia\twonkymediaserver.exe:TwonkyMediaServer
"TCP Query User{757CEBA8-838D-40DA-8E61-CBC8B9CEAB0C}c:\\program files\\twonkymedia\\mediamanager\\twonkymediamanager.exe"= UDP:c:\program files\twonkymedia\mediamanager\twonkymediamanager.exe:ControlPoint Application
"UDP Query User{A02947D5-D045-44CD-B6FD-BF6C96427363}c:\\program files\\twonkymedia\\mediamanager\\twonkymediamanager.exe"= TCP:c:\program files\twonkymedia\mediamanager\twonkymediamanager.exe:ControlPoint Application
"{A0494E79-63ED-4BB6-8E23-BFA604DFCEAB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{443E0686-B16F-4691-BD03-B68BC74E1933}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F70F99AB-8BFC-4315-98CF-2C9E2BA215A5}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{4F0A5E4B-EE85-46FD-B538-0D56C3C84ECA}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{68A51FED-A129-4218-812D-9DDDCC1F13D8}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{401712F0-8894-4543-A6E7-FF1B6937779B}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{3A1CE537-99ED-47EB-97B1-1F2C44DF5166}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{B45DACBC-F779-4B17-A08D-30C27611D14C}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{3B182546-B123-4939-87A8-29EEF3DCB870}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{835ED32F-F8B0-450A-8738-CDC37C24DCE3}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{5277FFCF-DE86-4A92-853D-000271182D63}"= UDP:c:\windows\System32\wininit.exe:wininit
"{ADF0AB61-21F5-4364-95B3-C36269BE042E}"= TCP:c:\windows\System32\wininit.exe:wininit
"{49C4EEB2-3B44-489F-9777-FCEE6CAB5A63}"= UDP:c:\windows\System32\taskmgr.exe:Taskmgr
"{44A48AC2-587E-4A8B-AE65-31F12A5760EA}"= UDP:c:\program files\TOSHIBA\Power Saver\TPwrMain.exe:TPwrMain
"{4788ED39-31FF-4BB9-B585-38FC964582CC}"= UDP:c:\program files\TOSHIBA\Power Saver\TPwrMain.exe:TPwrMain
"{7DD61887-4DA0-4AFD-8CED-83457FBD0A7D}"= TCP:c:\program files\TOSHIBA\Power Saver\TPwrMain.exe:TPwrMain
"{0EEDE2A9-DB8E-466C-B989-FE38F4E0DC97}"= TCP:c:\program files\TOSHIBA\Power Saver\TPwrMain.exe:TPwrMain
"{1785C0B6-3509-4E36-9DFA-33C1CED10442}"= UDP:c:\windows\System32\LogonUI.exe:LogonUI
"{E51C5F2B-54F5-481D-B4BE-312E5B961469}"= UDP:c:\windows\System32\LogonUI.exe:LogonUI
"{4FB6813C-E5E0-450E-A081-FE83727469B8}"= TCP:c:\windows\System32\LogonUI.exe:LogonUI
"{61FA0FBD-B177-44E4-A58E-88435BCB920C}"= TCP:c:\windows\System32\LogonUI.exe:LogonUI
"TCP Query User{AEE657EB-8DE1-4C3A-9ABF-3C75F2B089B3}c:\\program files\\microsoft games\\age of empires ii\\age2_x1\\age2_x1.exe"= UDP:c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
"UDP Query User{3C95911C-9AC6-4BE1-862D-CC7EF532CA33}c:\\program files\\microsoft games\\age of empires ii\\age2_x1\\age2_x1.exe"= TCP:c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\Loanna\\AppData\\Local\\Temp\\imbot.exe"= c:\users\Loanna\AppData\Local\Temp\imbot.exe:*:Enabled:csrss
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080716.002\IDSvix86.sys [18/07/2008 2:53 AM 261680]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [20/01/2008 1:54 PM 109616]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [08/12/2006 6:29 PM 7168]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [30/10/2007 10:55 PM 37936]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\System32\drivers\VX6000Xp.sys [10/04/2007 5:46 PM 2385896]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
*Deregistered* - comHost
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
2009-05-12 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Loanna.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
2009-05-21 c:\windows\Tasks\User_Feed_Synchronization-{92CFBC49-3256-42F5-B7CC-124D9E49FC54}.job
- c:\windows\system32\msfeedssync.exe [2008-06-30 07:33]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.
.
------- File Associations -------
.
inffile=c:\windows\System32\NOTEPAD.EXE "%1"
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 22:29
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000009
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\conime.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\dlbxcoms.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\System32\PnkBstrA.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-05-22 22:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 02:38
Pre-Run: 26,314,895,360 bytes free
Post-Run: 25,936,498,688 bytes free
300 --- E O F --- 2009-02-27 21:21
hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:34 PM, on 21/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.celartem.com/en/download/data/d...ntrol_en_US.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-ca.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbx_device - - C:\Windows\system32\dlbxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 9519 bytes
ComboFix 09-05-21.01 - Loanna 21/05/2009 22:16.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.2.1033.18.893.410 [GMT -4:00]
Running from: c:\users\Loanna\Desktop\FixFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\SAV
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\UACuyxejicvcrbbpuj.sys
c:\windows\system32\fomowipi.dll
c:\windows\system32\UACcofiyletloomypg.log
c:\windows\system32\UACcvxcvnqisbbyqla.dll
c:\windows\system32\UACdcetpexyeptvxop.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClttnnmitruvvprg.dll
c:\windows\system32\UACqierfbdivftjryn.dll
c:\windows\system32\UACrucrrqnddhtoiws.dat
c:\windows\system32\UACwspsmmjegcrotvq.log
c:\windows\system32\UACxflsktqeldsjsvn.dll
c:\windows\system32\UACxxomxfbruwufiop.log
----- BITS: Possible infected sites -----
hxxp://softwaredownloadcentercom.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.
2009-05-22 02:24 . 2009-05-22 02:29 -------- d-----w c:\users\Loanna\AppData\Local\temp
2009-05-22 02:24 . 2009-05-22 02:24 -------- d-----w c:\users\Pete\AppData\Local\temp
2009-05-21 23:11 . 2009-05-21 23:11 -------- d-----w c:\program files\Trend Micro
2009-05-21 23:06 . 2009-05-21 23:06 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-21 22:48 . 2009-05-21 23:00 -------- d-----w c:\programdata\NOS
2009-05-21 22:48 . 2009-05-21 22:48 -------- d-----w c:\program files\NOS
2009-05-21 22:40 . 2009-05-21 22:41 -------- d-----w C:\aaaa
2009-05-21 21:19 . 2009-05-21 21:19 -------- d-----w c:\users\Loanna\AppData\Roaming\Malwarebytes
2009-05-21 00:28 . 2009-03-30 14:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-21 00:28 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-21 00:27 . 2009-05-21 00:27 -------- d-----w c:\programdata\Avira
2009-05-21 00:27 . 2009-05-21 00:27 -------- d-----w c:\program files\Avira
2009-05-21 00:03 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-21 00:03 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 00:03 . 2009-05-21 21:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 22:25 . 2009-05-20 23:13 -------- d-----w c:\programdata\Yahoo!
2009-05-19 21:42 . 2009-05-19 21:43 -------- d-----w c:\users\Loanna\AppData\Local\CutePDF Writer
2009-05-19 21:41 . 2009-05-19 21:41 -------- d-----w c:\program files\GPLGS
2009-05-19 21:40 . 2007-07-13 02:33 87552 ----a-w c:\windows\system32\cpwmon2k.dll
2009-05-19 21:40 . 2009-05-19 21:40 -------- d-----w c:\program files\Acro Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 23:05 . 2006-12-08 21:35 -------- d-----w c:\program files\Common Files\Adobe
2009-05-21 22:44 . 2008-09-11 00:16 -------- d-----w c:\program files\LizardTech
2009-05-20 00:49 . 2008-11-12 21:19 -------- d-----w c:\program files\Dl_cats
2009-05-11 21:07 . 2008-12-14 16:14 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-20 21:20 . 2008-12-18 22:56 1032 ----a-w c:\users\Loanna\AppData\Roaming\wklnhst.dat
2009-03-30 23:32 . 2007-10-09 10:31 120648 ----a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-30 23:26 . 2008-08-21 04:59 -------- d-----w c:\programdata\Microsoft Help
2007-09-16 06:35 . 2007-09-22 04:28 66408 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-09-16 06:35 . 2007-09-22 04:28 54112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-09-16 06:35 . 2007-09-22 04:28 34688 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-09-16 06:35 . 2007-09-22 04:28 46456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-09-16 06:35 . 2007-09-22 04:28 171880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-08 155648]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-12 411768]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-11 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-11 530552]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2007-02-28 435696]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX6000"="c:\windows\vVX6000.exe" [2007-04-10 996712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-07 3772416]
"NDSTray.exe"="NDSTray.exe" [BU]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"AntiVirusDisableNotify"="0"
"UpdatesDisableNotify"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5A1039BD-F032-47A5-94E6-DA7BF796CC34}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{25E60626-82EA-4097-8860-EB688BFAB22B}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{B589D34C-71D1-4084-A211-57B85EE3EB38}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E1A0632E-127E-443B-815F-6DC5D9404944}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{28E328C4-4472-4136-A61D-FC78451C1D0F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{90C0FEB7-846E-4D98-9C61-C642B7172A05}"= UDP:c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe:Device Monitor
"{62844E8E-FF69-4887-9D13-6FA366650CC8}"= TCP:c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe:Device Monitor
"{1012589B-7F29-4132-AEC4-E489C6802B87}"= UDP:c:\program files\Dell Photo AIO Printer 962\dlbxaiox.exe:All In One Center
"{34CD6DEA-6DF8-4CC1-8196-3FF47B3DEB3A}"= TCP:c:\program files\Dell Photo AIO Printer 962\dlbxaiox.exe:All In One Center
"{4FE71971-6C61-415F-AECF-C52D4DDA7CD2}"= Disabled:UDP:135:TCP Port 135
"{61EE6D80-CA33-4E86-BEE8-728643D46FDF}"= Disabled:UDP:5000:TCP Port 5000
"{8D066226-A1DA-4D51-937B-C4E3BBCB348D}"= Disabled:UDP:5001:TCP Port 5001
"{9E9633D5-9104-4232-9BD1-E7F05B6D5F77}"= Disabled:UDP:5002:TCP Port 5002
"{7E9089E1-7933-41DD-ABE6-2F8B652CBC82}"= Disabled:UDP:5003:TCP Port 5003
"{71921C0C-98EF-4187-AC08-86327792D875}"= Disabled:UDP:5004:TCP Port 5004
"{DA84D525-87C9-422D-8A1A-AB83057C3B42}"= Disabled:UDP:5005:TCP Port 5005
"{F05B3C09-5AAC-4066-821A-C08CF3FBF485}"= Disabled:UDP:5006:TCP Port 5006
"{C64C2212-0A2E-4C63-9DFD-BD0C6A675EA9}"= Disabled:UDP:5007:TCP Port 5007
"{284E3BEF-31F0-474B-9E33-F1293D4B6F6A}"= Disabled:UDP:5008:TCP Port 5008
"{E0EEE029-1E09-4033-A357-0C5E8F4C1A86}"= Disabled:UDP:5009:TCP Port 5009
"{204D425E-AF1F-417F-9968-22FB77E0C264}"= Disabled:UDP:5010:TCP Port 5010
"{87C2A513-1503-466D-B1B4-EF52A11217A9}"= Disabled:UDP:5011:TCP Port 5011
"{47EDE319-6BA2-4B6F-AAA8-5D66164D925F}"= Disabled:UDP:5012:TCP Port 5012
"{CC861C24-0552-461B-9269-9117BE183167}"= Disabled:UDP:5013:TCP Port 5013
"{41F57F82-A086-4B50-A3E0-8E522B6F2DA4}"= Disabled:UDP:5014:TCP Port 5014
"{F905129E-3208-44D2-A112-826279F33A0C}"= Disabled:UDP:5015:TCP Port 5015
"{0A1A265F-F938-4650-BB98-054BED003D2F}"= Disabled:UDP:5016:TCP Port 5016
"{CD81DAA5-9FD3-44E1-B2B0-80FB860AF82A}"= Disabled:UDP:5017:TCP Port 5017
"{1D632427-21EF-4C8A-A473-3973145299D6}"= Disabled:UDP:5018:TCP Port 5018
"{F56E94E0-56F1-4C45-82EC-9025EFFF7CE0}"= Disabled:UDP:5019:TCP Port 5019
"{37C9015A-D9C2-4ADC-A989-5C4E36C66E4C}"= Disabled:UDP:5020:TCP Port 5020
"{75733ABF-8429-4F04-A9FA-C9B702D5C44C}"= UDP:c:\windows\System32\dlbxcoms.exe:Dell 962 Server
"{AEF8BDE9-3D7A-4674-AFC7-9AF1A877F8EE}"= TCP:c:\windows\System32\dlbxcoms.exe:Dell 962 Server
"{849A47A4-62F3-4716-A94D-57DFD97CA6A1}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\dlbxpswx.exe:Dell 962 Printer Status
"{4E72EBDB-D4D2-4169-B204-9D6AB9D31E50}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\dlbxpswx.exe:Dell 962 Printer Status
"{99C0D64D-D6E9-4E97-A0FE-BA00D2316B03}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8D388829-0F52-4B3D-BC04-962BC5113085}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{EDEE7CFC-667E-4072-A0A0-5CBF9AC4F592}c:\\program files\\microsoft games\\age of empires ii\\age2_x1\\age2_x1.exe"= UDP:c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
"UDP Query User{340BEA5A-FFB7-4619-9622-8423B086F3A4}c:\\program files\\microsoft games\\age of empires ii\\age2_x1\\age2_x1.exe"= TCP:c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
"{6BE7F292-F882-4B99-BF80-F0863BAEBBD8}"= UDP:c:\program files\Internet Explorer\iexplore.exe:iexplore
"{C0257DB6-5AFD-4C0F-9E9F-9BA4AF5FC913}"= UDP:c:\program files\Internet Explorer\iexplore.exe:iexplore
"{51335F02-2044-4217-B036-FB01E6EEDD95}"= TCP:c:\program files\Internet Explorer\iexplore.exe:iexplore
"{A580D70C-CC0B-4E8B-930B-8E887798AA32}"= TCP:c:\program files\Internet Explorer\iexplore.exe:iexplore
"{FB9AE91A-BB03-42D7-BDA5-F61B67B43D7F}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{2BAE3F48-16AE-43ED-B103-8CEA8EF755D3}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{1AA165BC-C691-4AE5-8496-54912DF0B97E}"= UDP:c:\windows\System32\rundll32.exe:rundll32
"{2A5DF2C4-2DB8-498C-929B-732F9C275FFE}"= UDP:c:\windows\System32\rundll32.exe:rundll32
"{4AA7614B-8EF5-4EF4-9ACD-1FB8332F387E}"= TCP:c:\windows\System32\rundll32.exe:rundll32
"{AF35CD4C-52D8-4151-B9D6-7D4ABBB119C4}"= TCP:c:\windows\System32\rundll32.exe:rundll32
"{7785894D-85F0-4082-8734-3D6C0C4E9FB8}"= UDP:c:\windows\System32\dllhost.exe:DllHost
"{267F0317-1F7E-4834-8D82-255E36DA938F}"= UDP:c:\windows\System32\dllhost.exe:DllHost
"{2886791E-0D9D-464A-B809-385E1D78D499}"= TCP:c:\windows\System32\dllhost.exe:DllHost
"{92025D20-B185-449A-B319-AB82346F70AF}"= TCP:c:\windows\System32\dllhost.exe:DllHost
"{7E2A32B5-96C7-4106-87A3-61042FBBB14D}"= UDP:c:\windows\explorer.exe:Explorer
"{AB673329-FC57-47FA-AB5D-86EF3E617BD2}"= TCP:c:\windows\explorer.exe:Explorer
"{56D52238-DADF-492F-A748-0A664A45BDA7}"= UDP:c:\program files\TwonkyMedia\twonkymediaserverwatchdog.exe:TwonkyMedia
"{F2203DE6-2FB1-4D1E-B2AC-D842329F1610}"= TCP:c:\program files\TwonkyMedia\twonkymediaserverwatchdog.exe:TwonkyMedia
"{707437ED-4A18-4CAD-8676-D56F4A085E7B}"= UDP:c:\program files\TwonkyMedia\twonkymediaserver.exe:TwonkyMediaServer
"{F389730C-5F31-4EED-9345-D3AEB2FB913A}"= TCP:c:\program files\TwonkyMedia\twonkymediaserver.exe:TwonkyMediaServer
"TCP Query User{757CEBA8-838D-40DA-8E61-CBC8B9CEAB0C}c:\\program files\\twonkymedia\\mediamanager\\twonkymediamanager.exe"= UDP:c:\program files\twonkymedia\mediamanager\twonkymediamanager.exe:ControlPoint Application
"UDP Query User{A02947D5-D045-44CD-B6FD-BF6C96427363}c:\\program files\\twonkymedia\\mediamanager\\twonkymediamanager.exe"= TCP:c:\program files\twonkymedia\mediamanager\twonkymediamanager.exe:ControlPoint Application
"{A0494E79-63ED-4BB6-8E23-BFA604DFCEAB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{443E0686-B16F-4691-BD03-B68BC74E1933}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F70F99AB-8BFC-4315-98CF-2C9E2BA215A5}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{4F0A5E4B-EE85-46FD-B538-0D56C3C84ECA}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{68A51FED-A129-4218-812D-9DDDCC1F13D8}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{401712F0-8894-4543-A6E7-FF1B6937779B}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{3A1CE537-99ED-47EB-97B1-1F2C44DF5166}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{B45DACBC-F779-4B17-A08D-30C27611D14C}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{3B182546-B123-4939-87A8-29EEF3DCB870}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{835ED32F-F8B0-450A-8738-CDC37C24DCE3}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{5277FFCF-DE86-4A92-853D-000271182D63}"= UDP:c:\windows\System32\wininit.exe:wininit
"{ADF0AB61-21F5-4364-95B3-C36269BE042E}"= TCP:c:\windows\System32\wininit.exe:wininit
"{49C4EEB2-3B44-489F-9777-FCEE6CAB5A63}"= UDP:c:\windows\System32\taskmgr.exe:Taskmgr
"{44A48AC2-587E-4A8B-AE65-31F12A5760EA}"= UDP:c:\program files\TOSHIBA\Power Saver\TPwrMain.exe:TPwrMain
"{4788ED39-31FF-4BB9-B585-38FC964582CC}"= UDP:c:\program files\TOSHIBA\Power Saver\TPwrMain.exe:TPwrMain
"{7DD61887-4DA0-4AFD-8CED-83457FBD0A7D}"= TCP:c:\program files\TOSHIBA\Power Saver\TPwrMain.exe:TPwrMain
"{0EEDE2A9-DB8E-466C-B989-FE38F4E0DC97}"= TCP:c:\program files\TOSHIBA\Power Saver\TPwrMain.exe:TPwrMain
"{1785C0B6-3509-4E36-9DFA-33C1CED10442}"= UDP:c:\windows\System32\LogonUI.exe:LogonUI
"{E51C5F2B-54F5-481D-B4BE-312E5B961469}"= UDP:c:\windows\System32\LogonUI.exe:LogonUI
"{4FB6813C-E5E0-450E-A081-FE83727469B8}"= TCP:c:\windows\System32\LogonUI.exe:LogonUI
"{61FA0FBD-B177-44E4-A58E-88435BCB920C}"= TCP:c:\windows\System32\LogonUI.exe:LogonUI
"TCP Query User{AEE657EB-8DE1-4C3A-9ABF-3C75F2B089B3}c:\\program files\\microsoft games\\age of empires ii\\age2_x1\\age2_x1.exe"= UDP:c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
"UDP Query User{3C95911C-9AC6-4BE1-862D-CC7EF532CA33}c:\\program files\\microsoft games\\age of empires ii\\age2_x1\\age2_x1.exe"= TCP:c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\Loanna\\AppData\\Local\\Temp\\imbot.exe"= c:\users\Loanna\AppData\Local\Temp\imbot.exe:*:Enabled:csrss
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080716.002\IDSvix86.sys [18/07/2008 2:53 AM 261680]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [20/01/2008 1:54 PM 109616]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [08/12/2006 6:29 PM 7168]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [30/10/2007 10:55 PM 37936]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\System32\drivers\VX6000Xp.sys [10/04/2007 5:46 PM 2385896]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
*Deregistered* - comHost
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
2009-05-12 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Loanna.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
2009-05-21 c:\windows\Tasks\User_Feed_Synchronization-{92CFBC49-3256-42F5-B7CC-124D9E49FC54}.job
- c:\windows\system32\msfeedssync.exe [2008-06-30 07:33]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.
.
------- File Associations -------
.
inffile=c:\windows\System32\NOTEPAD.EXE "%1"
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 22:29
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000009
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\conime.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\dlbxcoms.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\System32\PnkBstrA.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-05-22 22:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 02:38
Pre-Run: 26,314,895,360 bytes free
Post-Run: 25,936,498,688 bytes free
300 --- E O F --- 2009-02-27 21:21
hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:34 PM, on 21/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.celartem.com/en/download/data/d...ntrol_en_US.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-ca.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbx_device - - C:\Windows\system32\dlbxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 9519 bytes
ran both those than malware bytes and no more infections are showing so i hope its gone
1. Please open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
QUOTE
File::
c:\Users\Loanna\AppData\Local\Temp\imbot.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\Loanna\\AppData\\Local\\Temp\\imbot.exe"=-
DirLook::
C:\aaaa
c:\Users\Loanna\AppData\Local\Temp\imbot.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\Loanna\\AppData\\Local\\Temp\\imbot.exe"=-
DirLook::
C:\aaaa
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.