Jump to content

JN1

Members
  • Posts

    5
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Infected with Sirefef rootkit. Running W7 64 Home Premium MBAM does not see it. Windows Security Essentials does but can't t prevent it from coming back. I need online help if possible. It would be greatly appreciated. DDS report follows: . DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24 Run by Paulo at 9:29:39 on 2012-04-04 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1015.290 [GMT -4:00] . AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt C:\Windows\system32\svchost.exe -k HsfXAudioService C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\system32\taskeng.exe C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe C:\Windows\system32\conhost.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\Program Files\Microsoft Security Client\msseces.exe c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Windows\system32\svchost.exe -k defragsvc C:\Windows\system32\taskhost.exe C:\Windows\system32\WUDFHost.exe \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.ca/ mStart Page = hxxp://home.sweetim.com uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = http=127.0.0.1:54990 uURLSearchHooks: H - No File uURLSearchHooks: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files (x86)\4shared.com\prxtb4sha.dll mURLSearchHooks: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files (x86)\4shared.com\prxtb4sha.dll mWinlogon: Userinit=userinit.exe, BHO: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files (x86)\4shared.com\prxtb4sha.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll BHO: SweetIM Toolbar Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll TB: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files (x86)\4shared.com\prxtb4sha.dll TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File uRun: [Google Update] "C:\Users\Paulo\AppData\Local\Google\Update\GoogleUpdate.exe" /c uRun: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun: [sweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe uPolicies-explorer: HideSCAHealth = 1 (0x1) mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: HideSCAHealth = 1 (0x1) mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000 LSP: mswsock.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: DhcpNameServer = 192.168.0.1 TCP: Interfaces\{459676A1-0C73-4AD9-925D-33874E2675F0} : DhcpNameServer = 192.168.0.1 TCP: Interfaces\{459676A1-0C73-4AD9-925D-33874E2675F0}\C696E6B6379737 : DhcpNameServer = 64.71.255.198 Notify: jerbiuw - C:\Windows\system32\config\systemprofile\AppData\Local\jerbiuw.dll SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4 BHO-X64: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files (x86)\4shared.com\prxtb4sha.dll BHO-X64: 4shared.com - No File BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll BHO-X64: Conduit Engine - No File BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll BHO-X64: SweetIM Toolbar Helper: {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll BHO-X64: SWEETIE - No File BHO-X64: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll BHO-X64: Yontoo Layers - No File TB-X64: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files (x86)\4shared.com\prxtb4sha.dll TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll TB-X64: SweetIM Toolbar for Internet Explorer: {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun-x64: [sweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" Hosts: 109.163.226.208 www.google-analytics.com. Hosts: 109.163.226.208 ad-emea.doubleclick.net. Hosts: 109.163.226.208 www.statcounter.com. Hosts: 67.215.245.19 www.google-analytics.com. Hosts: 67.215.245.19 ad-emea.doubleclick.net. . Note: multiple HOSTS entries found. Please refer to Attach.txt . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Paulo\AppData\Roaming\Mozilla\Firefox\Profiles\k2ulv5ii.default\ FF - prefs.js: browser.search.defaulturl - FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q= FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 54990 FF - prefs.js: network.proxy.type - 0 FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: C:\Users\Paulo\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} FF - Ext: SweetIM Toolbar for Firefox: {EEE6C361-6118-11DC-9C72-001320C79847} - %profile%\extensions\{EEE6C361-6118-11DC-9C72-001320C79847} . ============= SERVICES / DRIVERS =============== . R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?] R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?] R1 VWiFiFlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?] R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928] R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-2-9 913752] R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992] R2 IMFservice;IMF Service;C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [2011-8-28 820568] R3 CAXHWBS2;CAXHWBS2;C:\Windows\system32\DRIVERS\CAXHWBS2.sys --> C:\Windows\system32\DRIVERS\CAXHWBS2.sys [?] R3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\netr28ux.sys --> C:\Windows\system32\DRIVERS\netr28ux.sys [?] R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?] R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?] S1 gyfivgky;gyfivgky;\??\C:\Windows\system32\drivers\gyfivgky.sys --> C:\Windows\system32\drivers\gyfivgky.sys [?] S1 pcohaohk;pcohaohk;\??\C:\Windows\system32\drivers\pcohaohk.sys --> C:\Windows\system32\drivers\pcohaohk.sys [?] S1 pkqlnizy;pkqlnizy;\??\C:\Windows\system32\drivers\pkqlnizy.sys --> C:\Windows\system32\drivers\pkqlnizy.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-22 136176] S2 RelevantKnowledge;RelevantKnowledge;C:\Program Files (x86)\RelevantKnowledge\rlservice.exe /service --> C:\Program Files (x86)\RelevantKnowledge\rlservice.exe [?] S3 athrusb;Atheros Wireless LAN USB device driver;C:\Windows\system32\DRIVERS\athrxusb.sys --> C:\Windows\system32\DRIVERS\athrxusb.sys [?] S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-22 136176] S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?] S3 RegFilter;RegFilter;C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\RegFilter.sys [2011-8-28 33184] S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?] S3 UrlFilter;UrlFilter;C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\UrlFilter.sys [2011-8-28 21328] S3 VST64_DPV;VST64_DPV;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?] S3 VST64HWBS2;VST64HWBS2;C:\Windows\system32\DRIVERS\VSTBS26.SYS --> C:\Windows\system32\DRIVERS\VSTBS26.SYS [?] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?] S4 FileMonitor;FileMonitor;C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [2011-8-28 20336] . =============== Created Last 30 ================ . 2012-04-04 03:05:39 -------- d-----w- C:\Program Files\iPod 2012-04-04 03:05:28 -------- d-----w- C:\Program Files\iTunes 2012-04-04 03:05:28 -------- d-----w- C:\Program Files (x86)\iTunes 2012-04-04 02:20:06 50000 ----a-w- C:\Windows\System32\drivers\gyfivgky.sys 2012-04-04 01:57:31 50000 ----a-w- C:\Windows\System32\drivers\pkqlnizy.sys 2012-04-04 01:51:37 50000 ----a-w- C:\Windows\System32\drivers\pcohaohk.sys 2012-04-04 01:50:04 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{03D18759-C5CB-43C0-AA62-A726A9C2B0A9}\offreg.dll 2012-04-04 01:42:58 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A55ACEF4-236B-457E-BB88-53AC66499357}\gapaengine.dll 2012-04-04 01:42:44 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{03D18759-C5CB-43C0-AA62-A726A9C2B0A9}\mpengine.dll 2012-04-04 01:39:11 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client 2012-04-04 01:38:59 -------- d-----w- C:\Program Files\Microsoft Security Client 2012-03-15 03:32:43 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe 2012-03-15 03:32:42 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2012-03-15 03:32:41 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2012-03-15 03:28:55 3145728 ----a-w- C:\Windows\System32\win32k.sys 2012-03-15 03:28:53 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll 2012-03-15 03:28:53 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys 2012-03-15 03:28:53 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys 2012-03-15 03:28:53 1031680 ----a-w- C:\Windows\System32\rdpcore.dll 2012-03-15 03:28:51 1544192 ----a-w- C:\Windows\System32\DWrite.dll 2012-03-15 03:28:51 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll 2012-03-15 03:28:47 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe 2012-03-15 03:28:47 77312 ----a-w- C:\Windows\System32\rdpwsx.dll 2012-03-15 03:28:47 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll 2012-03-15 03:24:51 -------- d-----w- C:\Program Files (x86)\Graboid 2012-03-14 22:29:38 -------- d-----w- C:\Program Files (x86)\Common Files\SWF Studio . ==================== Find3M ==================== . 2012-02-18 03:25:19 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd 2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe . ============= FINISH: 9:31:39.36 ===============
  2. ----------------------------- OK, here is the Combofix Log: ComboFix 09-04-17.01 - JN 04/16/2009 22:34.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1155 [GMT -4:00] Running from: c:\documents and settings\JN\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\JN\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point FILE :: c:\windows\system32\drivers\jzjctgks.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\jzjctgks.sys . ((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 ))))))))))))))))))))))))))))))) . 2009-04-17 00:20 . 2009-04-17 00:20 -------- d-----w C:\RkUnhooker 2009-04-16 21:02 . 2009-04-16 21:02 -------- dc----w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-04-16 16:50 . 2009-04-16 16:50 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-04-16 14:59 . 2009-04-16 15:00 -------- d-----w C:\New Folder 2009-04-16 02:17 . 2009-04-16 02:17 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\documents and settings\JN\Application Data\SUPERAntiSpyware.com 2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\JN\Application Data\Malwarebytes 2009-04-16 01:54 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-16 01:54 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-17 01:53 . 2009-04-16 01:57 -------- d-----w c:\program files\Marcos Velasco Security 2009-04-17 01:50 . 2007-05-09 22:24 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-17 01:50 . 2007-05-19 12:23 -------- d-----w c:\program files\Lavasoft 2009-04-17 01:49 . 2009-04-16 15:58 -------- d-----w c:\program files\Enigma Software Group 2009-04-17 01:48 . 2008-05-30 00:15 -------- d-----w c:\program files\EasyZip 2009-04-16 21:58 . 2009-04-16 21:58 -------- d-----w c:\program files\ACW 2009-04-16 20:38 . 2007-04-25 06:05 28160 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-16 16:07 . 2009-04-16 16:07 -------- d-----w c:\program files\FileASSASSIN 2009-04-16 15:32 . 2009-04-16 15:26 -------- d-----w c:\program files\RegCure 2009-04-16 13:32 . 2009-04-16 13:32 -------- d-----w c:\program files\Unlocker 2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-16 01:56 . 2009-04-16 01:56 -------- d-----w c:\program files\CCleaner 2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-15 20:54 . 2009-04-16 00:06 5300 ----a-w C:\Yoog steps.txt 2009-04-15 02:52 . 2009-04-15 02:52 -------- d-----w c:\program files\Trend Micro 2009-04-14 01:39 . 2009-02-24 00:44 -------- d-----w c:\documents and settings\JN\Application Data\LimeWire 2009-04-13 22:15 . 2009-04-13 22:15 -------- d-----w c:\program files\360Share Pro 2009-04-13 20:47 . 2009-04-13 20:47 -------- d-----w c:\program files\7-Zip 2009-04-08 01:40 . 2009-04-08 01:40 -------- d-----w c:\program files\MSECache 2009-03-09 22:18 . 2007-08-13 02:27 24272 ----a-w c:\documents and settings\JN\Application Data\GDIPFONTCACHEV1.DAT 2009-02-28 23:17 . 2009-02-28 23:13 -------- d-----w c:\program files\QuickTax 2008 2009-02-27 00:59 . 2008-01-12 15:42 -------- d-----w c:\documents and settings\JN\Application Data\EndNote 2009-02-24 00:44 . 2007-06-05 21:57 -------- d-----w c:\program files\LimeWire 2009-02-11 14:41 . 2009-02-11 14:41 520851 ----a-w C:\Beatriz PG Life Sciences 2009.eml 2009-01-31 03:11 . 2009-01-31 01:34 84472 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2008-09-24 23:09 . 2007-05-09 23:25 2114 ----a-w c:\documents and settings\JN\Application Data\WWB7_32.DAT 2008-02-24 23:00 . 2008-02-24 23:00 81920 ----a-w c:\documents and settings\JN\Application Data\ezpinst.exe 2008-02-24 23:00 . 2008-02-24 23:00 47360 ----a-w c:\documents and settings\JN\Application Data\pcouffin.sys 2007-07-28 18:06 . 2007-07-28 18:06 722176 ----a-w c:\documents and settings\JN\gotomypc_428.exe 2007-04-25 06:05 . 2007-10-13 01:37 12328 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-04-25 06:05 . 2007-05-05 00:04 12328 ----a-w c:\documents and settings\JN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-04-25 05:56 . 2007-10-13 01:37 136 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\fusioncache.dat 2007-04-25 05:56 . 2007-05-05 00:04 136 ----a-w c:\documents and settings\JN\Local Settings\Application Data\fusioncache.dat 2007-04-25 05:56 . 2007-04-25 05:56 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat . ((((((((((((((((((((((((((((( SnapShot@2009-04-17_01.01.13 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-11 22:00 . 2009-04-17 02:05 72134 c:\windows\system32\perfc009.dat - 2004-08-11 22:00 . 2009-04-16 01:39 72134 c:\windows\system32\perfc009.dat + 2004-08-11 22:12 . 2008-10-16 18:12 202776 c:\windows\system32\wuweb.dll + 2004-08-11 22:00 . 2009-04-17 02:05 443034 c:\windows\system32\perfh009.dat - 2004-08-11 22:00 . 2009-04-16 01:39 443034 c:\windows\system32\perfh009.dat + 2004-08-11 22:12 . 2008-10-16 18:12 202776 c:\windows\system32\dllcache\wuweb.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk] backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "TapiSrv"=3 (0x3) "SPBBCSvc"=2 (0x2) "SCardSvr"=2 (0x2) "S24EventMonitor"=2 (0x2) "DefWatch"=2 (0x2) "ccSetMgr"=2 (0x2) "ccEvtMgr"=2 (0x2) "aawservice"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= R3 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-30 155665] R3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\NaiFiltr.sys [2001-04-30 24480] R3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\DRIVERS\OMVA.sys [2002-11-20 14924] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464] S0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\NaiFsRec.sys [2001-04-30 4512] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936] . Contents of the 'Scheduled Tasks' folder 2009-03-21 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2007-02-09 06:04] 2009-04-16 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] 2009-04-16 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=WEGgZKKQApaAZEzv3ynZ0m0ZK04 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll FF - ProfilePath - c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q= FF - prefs.js: browser.search.selectedEngine - Yoog Search FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q= FF - component: c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll ---- FIREFOX POLICIES ---- FF - user.js: google.toolbar.linkdoctor.enabled - false FF - user.js: browser.search.defaultenginename - Yoog Search FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q= FF - user.js: browser.search.selectedEngine - Yoog Search FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q= FF - user.js: keyword.enabled - true . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-16 22:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1060) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'lsass.exe'(1116) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll - - - - - - - > 'explorer.exe'(2516) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\windows\system32\igfxsrvc.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\program files\Dell\QuickSet\NicConfigSvc.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-04-17 22:41 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-17 02:41 ComboFix2.txt 2009-04-17 02:30 ComboFix3.txt 2009-04-17 01:04 ComboFix4.txt 2009-04-16 22:25 ComboFix5.txt 2009-04-17 02:33 Pre-Run: 51,951,304,704 bytes free Post-Run: 51,936,419,840 bytes free 207 --- E O F --- 2008-05-19 19:43 And here is the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:46:48 PM, on 4/16/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\TouchFreeze\TouchFreeze.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070425 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=WE...ZEzv3ynZ0m0ZK04 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1239933614671 O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSWeb/msrdp.cab O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7615 bytes Thanks!
  3. ------------------------------------------------------------ It worked perfectly, thanks for the terrific help. Here are the logs: Combofix log: ComboFix 09-04-17.01 - JN 04/16/2009 20:56.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1068 [GMT -4:00] Running from: c:\documents and settings\JN\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\JN\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point FILE :: C:\avenger.txt c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll c:\documents and settings\JN\Local Settings\Temp\jhpwyrjt.dat c:\program files\Uninstall Morpheus Toolbar.dll c:\windows\Ekegatoqe.bin c:\windows\Qwowadu.dat c:\windows\system32\BROSNM.dll c:\windows\system32\drivers\uowtvoiv.sys c:\windows\system32\icudfibxwnyose.dll-uninst.exe c:\windows\system32\s5NYRKLt8CV2v.vbs . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282} c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\chrome.manifest c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\chrome\content\_cfg.js c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\chrome\content\c.js c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\chrome\content\overlay.xul c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282}\install.rdf c:\documents and settings\JN\Local Settings\Temp\jhpwyrjt.dat c:\program files\Uninstall Morpheus Toolbar.dll c:\windows\Ekegatoqe.bin c:\windows\Qwowadu.dat c:\windows\system32\BROSNM.dll c:\windows\system32\drivers\uowtvoiv.sys c:\windows\system32\icudfibxwnyose.dll-uninst.exe c:\windows\system32\s5NYRKLt8CV2v.vbs . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_UOWTVOIV -------\Service_uowtvoiv ((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 ))))))))))))))))))))))))))))))) . 2009-04-17 00:20 . 2009-04-17 00:20 -------- d-----w C:\RkUnhooker 2009-04-16 21:02 . 2009-04-16 21:02 -------- dc----w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-04-16 16:50 . 2009-04-16 16:50 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-04-16 14:59 . 2009-04-16 15:00 -------- d-----w C:\New Folder 2009-04-16 02:17 . 2009-04-16 02:17 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\documents and settings\JN\Application Data\SUPERAntiSpyware.com 2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\JN\Application Data\Malwarebytes 2009-04-16 01:54 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-16 01:54 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-17 00:57 . 2004-08-11 22:00 23424 ----a-w c:\windows\system32\drivers\jzjctgks.sys 2009-04-17 00:42 . 2009-04-16 01:57 -------- d-----w c:\program files\Marcos Velasco Security 2009-04-16 21:58 . 2009-04-16 21:58 -------- d-----w c:\program files\ACW 2009-04-16 20:38 . 2007-04-25 06:05 28160 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-16 16:07 . 2009-04-16 16:07 -------- d-----w c:\program files\FileASSASSIN 2009-04-16 15:58 . 2009-04-16 15:58 -------- d-----w c:\program files\Enigma Software Group 2009-04-16 15:32 . 2009-04-16 15:26 -------- d-----w c:\program files\RegCure 2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\program files\Common Files\Gibinsoft Shared 2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\program files\GiPo@Utilities 2009-04-16 13:32 . 2009-04-16 13:32 -------- d-----w c:\program files\Unlocker 2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-16 01:56 . 2009-04-16 01:56 -------- d-----w c:\program files\CCleaner 2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-15 20:54 . 2009-04-16 00:06 5300 ----a-w C:\Yoog steps.txt 2009-04-15 02:52 . 2009-04-15 02:52 -------- d-----w c:\program files\Trend Micro 2009-04-14 01:39 . 2009-02-24 00:44 -------- d-----w c:\documents and settings\JN\Application Data\LimeWire 2009-04-13 22:15 . 2009-04-13 22:15 -------- d-----w c:\program files\360Share Pro 2009-04-13 20:47 . 2009-04-13 20:47 -------- d-----w c:\program files\7-Zip 2009-04-08 01:40 . 2009-04-08 01:40 -------- d-----w c:\program files\MSECache 2009-03-09 22:18 . 2007-08-13 02:27 24272 ----a-w c:\documents and settings\JN\Application Data\GDIPFONTCACHEV1.DAT 2009-02-28 23:17 . 2009-02-28 23:13 -------- d-----w c:\program files\QuickTax 2008 2009-02-27 00:59 . 2008-01-12 15:42 -------- d-----w c:\documents and settings\JN\Application Data\EndNote 2009-02-24 00:44 . 2007-06-05 21:57 -------- d-----w c:\program files\LimeWire 2009-02-11 14:41 . 2009-02-11 14:41 520851 ----a-w C:\Beatriz PG Life Sciences 2009.eml 2009-01-31 03:11 . 2009-01-31 01:34 84472 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2008-09-24 23:09 . 2007-05-09 23:25 2114 ----a-w c:\documents and settings\JN\Application Data\WWB7_32.DAT 2008-02-24 23:00 . 2008-02-24 23:00 81920 ----a-w c:\documents and settings\JN\Application Data\ezpinst.exe 2008-02-24 23:00 . 2008-02-24 23:00 47360 ----a-w c:\documents and settings\JN\Application Data\pcouffin.sys 2007-07-28 18:06 . 2007-07-28 18:06 722176 ----a-w c:\documents and settings\JN\gotomypc_428.exe 2007-04-25 06:05 . 2007-10-13 01:37 12328 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-04-25 06:05 . 2007-05-05 00:04 12328 ----a-w c:\documents and settings\JN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-04-25 05:56 . 2007-10-13 01:37 136 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\fusioncache.dat 2007-04-25 05:56 . 2007-05-05 00:04 136 ----a-w c:\documents and settings\JN\Local Settings\Application Data\fusioncache.dat 2007-04-25 05:56 . 2007-04-25 05:56 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk] backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe] 2008-04-11 20:17 374272 ----a-w c:\util\mount.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite] 2009-04-02 18:53 868352 ----a-w c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "TapiSrv"=3 (0x3) "SPBBCSvc"=2 (0x2) "SCardSvr"=2 (0x2) "S24EventMonitor"=2 (0x2) "DefWatch"=2 (0x2) "ccSetMgr"=2 (0x2) "ccEvtMgr"=2 (0x2) "aawservice"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= R3 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-30 155665] R3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\NaiFiltr.sys [2001-04-30 24480] R3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\DRIVERS\OMVA.sys [2002-11-20 14924] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464] S0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\NaiFsRec.sys [2001-04-30 4512] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936] --- Other Services/Drivers In Memory --- *NewlyCreated* - UOWTVOIV . Contents of the 'Scheduled Tasks' folder 2009-03-21 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2007-02-09 06:04] 2009-04-16 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] 2009-04-16 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=WEGgZKKQApaAZEzv3ynZ0m0ZK04 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll FF - ProfilePath - c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q= FF - prefs.js: browser.search.selectedEngine - Yoog Search FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q= ---- FIREFOX POLICIES ---- FF - user.js: google.toolbar.linkdoctor.enabled - false FF - user.js: browser.search.defaultenginename - Yoog Search FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q= FF - user.js: browser.search.selectedEngine - Yoog Search FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q= FF - user.js: keyword.enabled - true . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-16 21:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1068) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'lsass.exe'(1124) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll - - - - - - - > 'explorer.exe'(1664) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\windows\system32\igfxsrvc.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\program files\Dell\QuickSet\NicConfigSvc.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-04-17 21:04 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-17 01:04 ComboFix2.txt 2009-04-16 22:25 ComboFix3.txt 2009-04-16 20:38 Pre-Run: 51,987,410,944 bytes free Post-Run: 51,985,735,680 bytes free 230 --- E O F --- 2008-05-19 19:43 Hijack This log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:15:17 PM, on 4/16/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\TouchFreeze\TouchFreeze.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070425 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=WE...ZEzv3ynZ0m0ZK04 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSWeb/msrdp.cab O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7474 bytes And one more MB log: Malwarebytes' Anti-Malware 1.36 Database version: 1989 Windows 5.1.2600 Service Pack 2 4/16/2009 9:35:12 PM mbam-log-2009-04-16 (21-35-12).txt Scan type: Quick Scan Objects scanned: 80694 Time elapsed: 3 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------- Again, THANK YOU very much for the excellent help and support!!
  4. Thanks for the quick reply. I am attaching the ComboFix log and the Hijack This log. You will note that I tried dragging two files for deletion into Combofix (it failed). The HijackThis log follows. Thanks again. CF LOG: ComboFix 09-04-17.01 - JN 04/16/2009 18:17.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1074 [GMT -4:00] Running from: c:\documents and settings\JN\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\JN\Desktop\cfscript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point FILE :: c:\documents and settings\JN\Local Settings\Temp\jhpwyrjt.dat c:\windows\system32\BROSNM.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\JN\Local Settings\Temp\jhpwyrjt.dat . . . . failed to delete c:\windows\system32\BROSNM.dll . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 ))))))))))))))))))))))))))))))) . 2009-04-16 21:02 . 2009-04-16 21:02 -------- dc----w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-04-16 16:50 . 2009-04-16 16:50 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-04-16 14:59 . 2009-04-16 15:00 -------- d-----w C:\New Folder 2009-04-16 02:17 . 2009-04-16 02:17 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\documents and settings\JN\Application Data\SUPERAntiSpyware.com 2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\JN\Application Data\Malwarebytes 2009-04-16 01:54 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-16 01:54 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-15 02:35 . 2009-04-15 23:08 0 ----a-w c:\windows\Ekegatoqe.bin 2009-04-15 02:35 . 2009-04-15 02:35 -------- d-----w c:\documents and settings\JN\Local Settings\Application Data\{94F9A716-C8F3-4569-9C48-264A07F0D282} 2009-04-15 02:35 . 2009-04-16 01:29 408 ----a-w c:\windows\Qwowadu.dat 2009-04-15 02:16 . 2009-04-15 02:16 615 ----a-w c:\windows\system32\s5NYRKLt8CV2v.vbs 2009-04-13 22:31 . 2003-08-21 06:00 97792 ----a-w c:\windows\system32\BROSNM.dll 2009-04-13 22:31 . 2009-04-13 22:35 69194 ----a-w c:\windows\system32\icudfibxwnyose.dll-uninst.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-16 22:21 . 2009-04-16 22:21 5690 ----a-w C:\avenger.txt 2009-04-16 21:58 . 2009-04-16 21:58 -------- d-----w c:\program files\ACW 2009-04-16 20:38 . 2007-04-25 06:05 28160 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-16 16:07 . 2009-04-16 16:07 -------- d-----w c:\program files\FileASSASSIN 2009-04-16 15:58 . 2009-04-16 15:58 -------- d-----w c:\program files\Enigma Software Group 2009-04-16 15:32 . 2009-04-16 15:26 -------- d-----w c:\program files\RegCure 2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\program files\Common Files\Gibinsoft Shared 2009-04-16 14:05 . 2009-04-16 14:05 -------- d-----w c:\program files\GiPo@Utilities 2009-04-16 13:32 . 2009-04-16 13:32 -------- d-----w c:\program files\Unlocker 2009-04-16 02:01 . 2009-04-16 02:01 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-16 01:57 . 2009-04-16 01:57 -------- d-----w c:\program files\Marcos Velasco Security 2009-04-16 01:56 . 2009-04-16 01:56 -------- d-----w c:\program files\CCleaner 2009-04-16 01:54 . 2009-04-16 01:54 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-15 20:54 . 2009-04-16 00:06 5300 ----a-w C:\Yoog steps.txt 2009-04-15 02:52 . 2009-04-15 02:52 -------- d-----w c:\program files\Trend Micro 2009-04-14 01:39 . 2009-02-24 00:44 -------- d-----w c:\documents and settings\JN\Application Data\LimeWire 2009-04-13 22:15 . 2009-04-13 22:15 -------- d-----w c:\program files\360Share Pro 2009-04-13 20:47 . 2009-04-13 20:47 -------- d-----w c:\program files\7-Zip 2009-04-08 01:40 . 2009-04-08 01:40 -------- d-----w c:\program files\MSECache 2009-03-09 22:18 . 2007-08-13 02:27 24272 ----a-w c:\documents and settings\JN\Application Data\GDIPFONTCACHEV1.DAT 2009-02-28 23:17 . 2009-02-28 23:13 -------- d-----w c:\program files\QuickTax 2008 2009-02-27 00:59 . 2008-01-12 15:42 -------- d-----w c:\documents and settings\JN\Application Data\EndNote 2009-02-24 00:44 . 2007-06-05 21:57 -------- d-----w c:\program files\LimeWire 2009-02-11 14:41 . 2009-02-11 14:41 520851 ----a-w C:\Beatriz PG Life Sciences 2009.eml 2009-01-31 03:11 . 2009-01-31 01:34 84472 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2008-09-24 23:09 . 2007-05-09 23:25 2114 ----a-w c:\documents and settings\JN\Application Data\WWB7_32.DAT 2008-02-24 23:00 . 2008-02-24 23:00 81920 ----a-w c:\documents and settings\JN\Application Data\ezpinst.exe 2008-02-24 23:00 . 2008-02-24 23:00 47360 ----a-w c:\documents and settings\JN\Application Data\pcouffin.sys 2007-07-28 18:06 . 2007-07-28 18:06 722176 ----a-w c:\documents and settings\JN\gotomypc_428.exe 2007-06-04 21:25 . 2007-06-05 22:59 237568 -c--a-w c:\program files\Uninstall Morpheus Toolbar.dll 2007-04-25 06:05 . 2007-10-13 01:37 12328 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-04-25 06:05 . 2007-05-05 00:04 12328 ----a-w c:\documents and settings\JN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-04-25 05:56 . 2007-10-13 01:37 136 ----a-w c:\documents and settings\Friends\Local Settings\Application Data\fusioncache.dat 2007-04-25 05:56 . 2007-05-05 00:04 136 ----a-w c:\documents and settings\JN\Local Settings\Application Data\fusioncache.dat 2007-04-25 05:56 . 2007-04-25 05:56 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA5514C7-6F20-478B-8C0B-543CBBCC8842}] 2003-08-21 06:00 97792 ----a-w c:\windows\system32\BROSNM.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk] backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe] 2008-04-11 20:17 374272 ----a-w c:\util\mount.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite] 2009-04-02 18:53 868352 ----a-w c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "TapiSrv"=3 (0x3) "SPBBCSvc"=2 (0x2) "SCardSvr"=2 (0x2) "S24EventMonitor"=2 (0x2) "DefWatch"=2 (0x2) "ccSetMgr"=2 (0x2) "ccEvtMgr"=2 (0x2) "aawservice"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= R3 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-30 155665] R3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\NaiFiltr.sys [2001-04-30 24480] R3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\DRIVERS\OMVA.sys [2002-11-20 14924] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464] S0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\NaiFsRec.sys [2001-04-30 4512] S0 uowtvoiv;uowtvoiv;c:\windows\system32\drivers\uowtvoiv.sys [2004-08-04 23424] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936] . Contents of the 'Scheduled Tasks' folder 2009-03-21 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2007-02-09 06:04] 2009-04-16 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] 2009-04-16 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=WEGgZKKQApaAZEzv3ynZ0m0ZK04 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll FF - ProfilePath - c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q= FF - prefs.js: browser.search.selectedEngine - Yoog Search FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q= FF - component: c:\documents and settings\JN\Application Data\Mozilla\Firefox\Profiles\t3c2nlzk.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll ---- FIREFOX POLICIES ---- FF - user.js: google.toolbar.linkdoctor.enabled - false FF - user.js: browser.search.defaultenginename - Yoog Search FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q= FF - user.js: browser.search.selectedEngine - Yoog Search FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q= FF - user.js: keyword.enabled - true . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-16 18:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1072) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'lsass.exe'(1128) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll - - - - - - - > 'explorer.exe'(3972) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\windows\system32\igfxsrvc.exe c:\program files\Dell\QuickSet\NicConfigSvc.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-04-16 18:25 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-16 22:25 ComboFix2.txt 2009-04-16 20:38 Pre-Run: 52,054,614,016 bytes free Post-Run: 52,041,674,752 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 219 --- E O F --- 2008-05-19 19:43 HijakThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:50:59 PM, on 4/16/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\TouchFreeze\TouchFreeze.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070425 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=WE...ZEzv3ynZ0m0ZK04 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {BA5514C7-6F20-478B-8C0B-543CBBCC8842} - C:\WINDOWS\system32\BROSNM.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSWeb/msrdp.cab O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7582 bytes
  5. Hi (1) Here is my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:44:15 PM, on 4/16/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\TouchFreeze\TouchFreeze.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070425 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=WE...ZEzv3ynZ0m0ZK04 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {BA5514C7-6F20-478B-8C0B-543CBBCC8842} - C:\WINDOWS\system32\BROSNM.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSWeb/msrdp.cab O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7813 bytes (2) Here is my MB log: Malwarebytes' Anti-Malware 1.36 Database version: 1987 Windows 5.1.2600 Service Pack 2 4/16/2009 7:53:54 AM mbam-log-2009-04-16 (07-53-47).txt Scan type: Quick Scan Objects scanned: 81005 Time elapsed: 5 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba5514c7-6f20-478b-8c0b-543cbbcc8842} (Trojan.BHO.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{ba5514c7-6f20-478b-8c0b-543cbbcc8842} (Trojan.BHO.H) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\BROSNM.dll (Trojan.BHO.H) -> No action taken. C:\Documents and Settings\JN\Local Settings\Temp\jhpwyrjt.dat (Rootkit.Agent) -> No action taken. ------------------------- (3) And Here is my Problem: MB fails to delete these either directly or on the next reboot. HJT also fails to fix (delete) the registry entry Manual attempts to delete or edit the registry entries also fail (the registry does not allow me to edit permissions for these); All programs that I have tried in order to unlock and kill these files (include File Assassin) also failed. Any suggestions? Thanks
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.