Jump to content

k1ng_m0b

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Location
    Los Angeles, CA, US PST
  1. Hi, Thank you very much for your analysis. I will reformat my system and re-install everything. I have to be sure that the infection is totally gone. To aid in the re-install, I would like to copy the data under My Documents on the C: drive into a folder on my D: drive (bookmarks, photos, videos, email database etc.). Is this safe to do? Or do I have to wipe out my D: drive as well? Thanks, k1ng_m0b
  2. As directed, I have downloaded and run ComboFix. The resulting log file follows: ############################################ ComboFix 09-10-30.01 - Nankyung 10/31/2009 16:36.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1350 [GMT -7:00] Running from: c:\documents and settings\Nankyung\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\npz.ocx . ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 ))))))))))))))))))))))))))))))) . 2009-10-30 06:38 . 2009-10-30 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-10-30 06:38 . 2009-10-31 05:17 -------- d-----w- c:\documents and settings\Nankyung\Application Data\SUPERAntiSpyware.com 2009-10-30 06:38 . 2009-10-31 05:17 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-10-26 08:38 . 2009-10-26 08:38 -------- d--h--w- c:\windows\PIF 2009-10-26 08:23 . 2009-10-26 08:23 -------- d-----w- c:\program files\Trend Micro 2009-10-25 03:34 . 2009-10-25 03:34 -------- d-----w- c:\documents and settings\HelpAssistant\UserData 2009-10-02 22:04 . 2009-10-07 02:02 12728 ----a-w- c:\windows\system32\JRSUKD25.SYS 2009-10-02 22:04 . 2009-10-02 22:04 120120 ----a-r- c:\windows\system32\CKAgent.exe 2009-10-02 22:04 . 2009-03-19 02:50 434428 ----a-w- c:\windows\system32\CKCSP.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-31 23:30 . 2008-04-13 05:43 -------- d-----w- c:\program files\Symantec AntiVirus 2009-10-31 04:40 . 2008-11-29 05:44 -------- d-----w- c:\documents and settings\Nankyung\Application Data\Apple Computer 2009-10-29 05:45 . 2008-04-08 16:17 -------- d-----w- c:\program files\Google 2009-10-29 05:12 . 2009-06-30 04:31 -------- d-----w- c:\program files\Windows Desktop Search 2009-10-25 07:26 . 2009-01-14 05:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-25 03:51 . 2008-08-09 08:03 -------- d-----w- c:\program files\Microsoft Silverlight 2009-10-25 03:32 . 2009-03-07 21:12 4528 ----a-w- c:\windows\system32\fscflist.ini.tmp 2009-10-24 06:49 . 2008-04-26 19:30 -------- d-----w- c:\documents and settings\Nankyung\Application Data\Skype 2009-10-24 06:05 . 2008-04-26 19:34 -------- d-----w- c:\documents and settings\Nankyung\Application Data\skypePM 2009-10-23 14:30 . 2009-03-07 21:09 75 ----a-w- c:\windows\system32\fscagent.ini.tmp 2009-10-22 04:19 . 2008-04-21 08:36 -------- d-----w- c:\program files\StarNet 2009-10-20 04:17 . 2008-04-14 05:28 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-10-13 02:44 . 2009-06-08 08:57 2383872 ----a-w- c:\windows\system32\pdbox28.exe 2009-10-12 09:15 . 2009-03-20 07:32 749568 ----a-w- c:\windows\system32\sticubeup.exe 2009-10-12 08:58 . 2009-03-20 07:32 159744 ----a-w- c:\windows\system32\downengine.dll 2009-10-09 04:44 . 2009-07-09 07:27 2252800 ----a-w- c:\windows\system32\clubbox.exe 2009-10-09 04:36 . 2009-03-20 07:32 806912 ----a-w- c:\windows\system32\sticubedn.exe 2009-10-07 10:45 . 2009-07-20 01:43 167936 ----a-w- c:\windows\system32\fscagent.exe 2009-10-07 02:02 . 2007-10-29 03:31 35512 ----a-w- c:\windows\system32\JRSKD24.sys 2009-09-15 02:50 . 2008-04-08 16:13 -------- d-----w- c:\program files\Java 2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 21:54 . 2009-01-14 05:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 21:53 . 2009-01-14 05:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-09 23:21 . 2009-03-24 00:48 644336 ----a-w- c:\windows\system32\NowUpdate.exe 2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 07:36 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 07:36 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-29 07:36 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll 2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-25 03:09 . 2009-08-25 03:09 34352 ----a-w- c:\windows\system32\npPCStatusUninst.exe 2009-08-17 23:44 . 2009-08-17 23:44 656696 ----a-w- c:\windows\system32\CKSetup32.exe 2009-08-17 23:44 . 2007-10-29 03:31 140600 ----a-w- c:\windows\system32\Jrsoftcp.dll 2009-08-17 23:44 . 2007-10-29 03:31 140600 ----a-w- c:\windows\system32\CKApp.dll 2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 15:13 . 2004-08-11 22:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2004-08-04 03:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-13 13684736] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-11 1015808] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-11-13 25214] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-12 113664] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-4-12 118784] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\StarNet\\X-Win32 8.1\\xwin32.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\StarNet\\X-Win32 9.4\\xwin32.exe"= "c:\\Program Files\\StarNet\\X-Win32 9.4\\esd.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\WINDOWS\\system32\\sticubedn.exe"= "c:\\WINDOWS\\system32\\clubbox.exe"= "c:\\WINDOWS\\system32\\fscagent.exe"= "c:\\WINDOWS\\system32\\pdbox28.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:Remote Desktop R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 12:30 PM 79168] R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088] R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/14/2009 8:17 AM 102448] R3 JRSUKD25;JRSUKD25;c:\windows\system32\JRSUKD25.SYS [10/2/2009 3:04 PM 12728] S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.sys [10/28/2007 8:31 PM 35512] S3 JRSUKD24;JRSUKD24;c:\windows\system32\JRSUKD24.sys [10/28/2007 8:31 PM 6784] S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [8/24/2009 8:16 PM 40704] --- Other Services/Drivers In Memory --- *NewlyCreated* - CLASSPNP_2 *NewlyCreated* - MBR *Deregistered* - CLASSPNP_2 *Deregistered* - mbr . . ------- Supplementary Scan ------- . uStart Page = hxxp://webmail.isi.edu/ IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: {114E1ED5-64B9-4651-A245-2920FC5511DE} = 208.67.222.222,208.67.220.220 DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} - hxxp://ck.softforum.co.kr/CKKeyPro/keb_n/CKKeyPro3017_32k.cab DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxp://www.nps.or.kr/XecureObject/xw_install.cab DPF: {81D9BBB0-22AD-44F3-B7DB-8FD9ECEB27A0} - hxxp://fx.keb.co.kr/activex/Chart/FxChartA.cab DPF: {967386A1-409E-431A-A93A-FB5FEFF86A58} - hxxp://fx.keb.co.kr/veraport/veraport.cab DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://home.ebs.co.kr/wizard/contents/viewer/play/common/MagicLockOCX.cab DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} - hxxp://img.shinhan.com/rib/common/TrustSite/vista/ShbAutoTrustSiteX.cab DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} - hxxp://www.clubbox.co.kr/neo.fld/MultiUpload.cab FF - ProfilePath - c:\documents and settings\Nankyung\Application Data\Mozilla\Firefox\Profiles\jfpy0z1y.default\ FF - prefs.js: browser.startup.homepage - hxxps://webmail.isi.edu/horde/imp/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-31 16:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x893A6B00]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\iaStor -> 0x893a6b00 NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x893e3200 Warning: possible MBR rootkit infection ! copy of MBR has been found in sector 0x012A050FC malicious code @ sector 0x012A050FF ! PE file found in sector at 0x012A05115 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. ************************************************************************** . Completion time: 2009-10-31 16:40 ComboFix-quarantined-files.txt 2009-10-31 23:40 Pre-Run: 136,388,055,040 bytes free Post-Run: 137,916,420,096 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 994903EBD982994303670DACD459743B
  3. Thank you very much for your response. I have ran dds.scr, here is the dds log files. I'm attaching the Attach.txt as a zip file. Thanks again, k1ng_m0b *************** DDS.txt ****************** DDS (Ver_09-10-26.01) - NTFSx86 Run by Nankyung at 22:28:32.62 on Fri 10/30/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1332 [GMT -7:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Nankyung\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://webmail.isi.edu/ uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe" mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe" mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe" mRun: [<NO NAME>] mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207983068549 DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} - hxxp://ck.softforum.co.kr/CKKeyPro/keb_n/CKKeyPro3017_32k.cab DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxp://www.nps.or.kr/XecureObject/xw_install.cab DPF: {81D9BBB0-22AD-44F3-B7DB-8FD9ECEB27A0} - hxxp://fx.keb.co.kr/activex/Chart/FxChartA.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {967386A1-409E-431A-A93A-FB5FEFF86A58} - hxxp://fx.keb.co.kr/veraport/veraport.cab DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://home.ebs.co.kr/wizard/contents/viewer/play/common/MagicLockOCX.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} - hxxp://update.nprotect.net/nprotect2006/keb/npz.cab DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} - hxxp://img.shinhan.com/rib/common/TrustSite/vista/ShbAutoTrustSiteX.cab DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} - hxxp://www.clubbox.co.kr/neo.fld/MultiUpload.cab TCP: {114E1ED5-64B9-4651-A245-2920FC5511DE} = 208.67.222.222,208.67.220.220 Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\nankyung\applic~1\mozilla\firefox\profiles\jfpy0z1y.default\ FF - prefs.js: browser.startup.homepage - hxxps://webmail.isi.edu/horde/imp/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168] R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088] R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-14 102448] R3 JRSUKD25;JRSUKD25;c:\windows\system32\JRSUKD25.SYS [2009-10-2 12728] S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.sys [2007-10-28 35512] S3 JRSUKD24;JRSUKD24;c:\windows\system32\JRSUKD24.sys [2007-10-28 6784] S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [2009-8-24 40704] =============== Created Last 30 ================ 2009-10-30 06:38:20 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-10-30 06:38:14 0 d-----w- c:\program files\SUPERAntiSpyware 2009-10-30 06:38:14 0 d-----w- c:\docume~1\nankyung\applic~1\SUPERAntiSpyware.com 2009-10-26 08:38:25 0 d--h--w- c:\windows\PIF 2009-10-26 08:23:29 0 d-----w- c:\program files\Trend Micro 2009-10-02 22:04:31 12728 ----a-w- c:\windows\system32\JRSUKD25.SYS 2009-10-02 22:04:29 434428 ----a-w- c:\windows\system32\CKCSP.dll 2009-10-02 22:04:29 120120 ----a-r- c:\windows\system32\CKAgent.exe ==================== Find3M ==================== 2009-10-25 03:32:27 4528 ----a-w- c:\windows\system32\fscflist.ini.tmp 2009-10-13 02:44:56 2383872 ----a-w- c:\windows\system32\pdbox28.exe 2009-10-12 09:15:14 749568 ----a-w- c:\windows\system32\sticubeup.exe 2009-10-12 08:58:25 159744 ----a-w- c:\windows\system32\downengine.dll 2009-10-09 04:44:56 2252800 ----a-w- c:\windows\system32\clubbox.exe 2009-10-09 04:36:17 806912 ----a-w- c:\windows\system32\sticubedn.exe 2009-10-07 10:45:51 167936 ----a-w- c:\windows\system32\fscagent.exe 2009-10-07 02:02:23 35512 ----a-w- c:\windows\system32\JRSKD24.sys 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-09 23:21:20 644336 ----a-w- c:\windows\system32\NowUpdate.exe 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe 2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe 2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2009-08-25 03:09:12 34352 ----a-w- c:\windows\system32\npPCStatusUninst.exe 2009-08-17 23:44:32 656696 ----a-w- c:\windows\system32\CKSetup32.exe 2009-08-17 23:44:32 140600 ----a-w- c:\windows\system32\Jrsoftcp.dll 2009-08-17 23:44:30 140600 ----a-w- c:\windows\system32\CKApp.dll 2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll 2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-05 09:01:48 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-05 03:44:46 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-07-29 03:01:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072820080729\index.dat ============= FINISH: 22:29:57.45 =============== Attach_20091030.zip
  4. Hi, Like the title and description says, my computer (actually my wife's) had an Adware.CWS infection which MBAM caught and quarantined. We deleted it, but she can't get ie to run - a window for the browser will come up, but no content will load in that window. Meanwhile the harddisk just churns and churns. I can't figure out what's going on. I have posted MBAM and HiJackThis logs in this topic here: http://www.malwarebytes.org/forums/index.php?showtopic=28965 Sorry if I did this in the wrong order; I thought I could just post there first since everyone who posts a problem in this section gets diirected to post their logs over there... Anyway I thought I should flag it here. Thanks for reading! k1ng_m0b
  5. Hi all, My wife's computer has gotten hit with something and we need some help tracking it down. Based on my previous success with MBAM & co., I'm posting here. Quick summary: Internet Explorer freezes up and is very hard to kill, also system will not shut down cleanly. We have run MBAM and removed an infection of Adware.CWS. However the problems persist. Here are the log files from MBAM and a recent (five minutes ago) running of HiJackThis: Please note: the first MBAM logfile is from the removal of the Adware.CWS, using version 1.32 of MBAM. The second MBAM logfile is from the most recent scan, using version 1.41. MBAM Log (Adware.CWS removal): =========================== Malwarebytes' Anti-Malware 1.32 Database version: 1649 Windows 5.1.2600 Service Pack 3 10/24/2009 10:05:44 PM mbam-log-2009-10-24 (22-05-44).txt Scan type: Quick Scan Objects scanned: 77548 Time elapsed: 5 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 9 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\nowstarter.nowstarterctrl.1 (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{6f553c18-15e6-4e5e-8f44-add50de754ed} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{0409743c-e5e3-4bdd-9ec7-eff622530282} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{40722371-e24c-4b36-8e76-010bb6c7185b} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{825c19d3-35ce-428f-876b-88e080466689} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/nowstarter.ocx (Adware.CWS) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Downloaded Program Files\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully. MBAM Log (Most recent scan post-adware removal): =========================== Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 3 10/25/2009 9:31:31 PM mbam-log-2009-10-25 (21-31-31).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 250035 Time elapsed: 36 minute(s), 37 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HJT Log: =========================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:24:09 AM, on 10/26/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16915) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\dwwin.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\dumprep.exe C:\WINDOWS\system32\dwwin.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080408 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.isi.edu/horde/imp/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080408 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 125.245.196.194:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} (NowStarter2 Control) - http://sticube.clubbox.co.kr/sticubeupdate...NowStarter2.cab O16 - DPF: {2E215D23-8D32-4141-BB8F-6254C84FBC9E} - http://potplayer.daum.net/PotPlayer/launch...yerLauncher.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207983068549 O16 - DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} (XecureCKKB Class) - http://ck.softforum.co.kr/CKKeyPro/keb_n/C...Pro3017_32k.cab O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.nps.or.kr/XecureObject/xw_install.cab O16 - DPF: {81D9BBB0-22AD-44F3-B7DB-8FD9ECEB27A0} (FxChartA Control) - http://fx.keb.co.kr/activex/Chart/FxChartA.cab O16 - DPF: {967386A1-409E-431A-A93A-FB5FEFF86A58} (AXMObjectCtl Class) - http://fx.keb.co.kr/veraport/veraport.cab O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://home.ebs.co.kr/wizard/contents/view...agicLockOCX.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - http://update.nprotect.net/nprotect2006/keb/npz.cab O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://img.shinhan.com/rib/common/TrustSit...oTrustSiteX.cab O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{114E1ED5-64B9-4651-A245-2920FC5511DE}: NameServer = 208.67.222.222,208.67.220.220 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usc.edu O17 - HKLM\System\CS1\Services\Tcpip\..\{114E1ED5-64B9-4651-A245-2920FC5511DE}: NameServer = 208.67.222.222,208.67.220.220 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usc.edu O17 - HKLM\System\CS2\Services\Tcpip\..\{114E1ED5-64B9-4651-A245-2920FC5511DE}: NameServer = 208.67.222.222,208.67.220.220 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usc.edu O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 14680 bytes
  6. Thanks very much for your help! Things seem to be back to normal. I am including the log result of a full system scan from Malwarebytes below. I am able to keep Symantec Endpoint Protection running now, so I will run a full system scan using that as well and see if anything turns up. Should I run HJT again as well? Thanks, KM ===Begin MBAM log=== Malwarebytes' Anti-Malware 1.38 Database version: 2309 Windows 5.1.2600 Service Pack 2 6/20/2009 2:44:37 AM mbam-log-2009-06-20 (02-44-37).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 391057 Time elapsed: 2 hour(s), 26 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  7. Thank you for your reply! Here is the combo fix log: ComboFix 09-06-18.02 - Mitch 06/19/2009 10:42.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1511 [GMT -7:00] Running from: c:\documents and settings\Mitch\Desktop\foobar.exe Command switches used :: c:\documents and settings\Mitch\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\program files\driver c:\windows\system32\drivers\UACnqvhtxingxjpxqg.sys c:\windows\system32\UACifjfwcdpfnunxbc.dat c:\windows\system32\UACkbcihutcyidpywo.log c:\windows\system32\UACnlbjhwhehsbehei.dll c:\windows\system32\UACsjnjqown.dat c:\windows\system32\UACsrrwndmlgfivruv.log c:\windows\system32\UACtolplkttbtsajpe.dll c:\windows\system32\UACuipbqjnlhhikbit.log c:\windows\system32\UACxnjsyidsnwylixx.dll c:\windows\system32\UACxnlafitmxhmbwmh.dll c:\windows\system32\UACyhdaokopeaxpvmv.dll c:\windows\system32\_003329_.tmp.dll c:\windows\system32\_003330_.tmp.dll c:\windows\system32\_003331_.tmp.dll c:\windows\system32\_003332_.tmp.dll c:\windows\system32\_003336_.tmp.dll c:\windows\system32\_003337_.tmp.dll c:\windows\system32\_003338_.tmp.dll c:\windows\system32\_003339_.tmp.dll c:\windows\system32\_003340_.tmp.dll c:\windows\system32\_003341_.tmp.dll c:\windows\system32\_003342_.tmp.dll c:\windows\system32\_003343_.tmp.dll c:\windows\system32\_003344_.tmp.dll c:\windows\system32\_003345_.tmp.dll c:\windows\system32\_003348_.tmp.dll c:\windows\system32\_003349_.tmp.dll c:\windows\system32\_003351_.tmp.dll c:\windows\system32\_003352_.tmp.dll c:\windows\system32\_003353_.tmp.dll c:\windows\system32\_003355_.tmp.dll c:\windows\system32\_003356_.tmp.dll c:\windows\system32\_003358_.tmp.dll c:\windows\system32\_003359_.tmp.dll c:\windows\system32\_003361_.tmp.dll c:\windows\system32\_003362_.tmp.dll c:\windows\system32\_003363_.tmp.dll c:\windows\system32\_003364_.tmp.dll c:\windows\system32\_003365_.tmp.dll c:\windows\system32\_003366_.tmp.dll c:\windows\system32\_003368_.tmp.dll c:\windows\system32\_003369_.tmp.dll c:\windows\system32\_003370_.tmp.dll c:\windows\system32\_003371_.tmp.dll c:\windows\system32\_003372_.tmp.dll c:\windows\system32\_003373_.tmp.dll c:\windows\system32\_003374_.tmp.dll c:\windows\system32\_003375_.tmp.dll c:\windows\system32\_003378_.tmp.dll c:\windows\system32\_003379_.tmp.dll c:\windows\system32\_003380_.tmp.dll c:\windows\system32\_003381_.tmp.dll c:\windows\system32\_003382_.tmp.dll c:\windows\system32\_003383_.tmp.dll c:\windows\system32\_003384_.tmp.dll c:\windows\system32\_003386_.tmp.dll c:\windows\system32\_003387_.tmp.dll c:\windows\system32\_003388_.tmp.dll c:\windows\system32\_003389_.tmp.dll c:\windows\system32\_003390_.tmp.dll c:\windows\system32\_003391_.tmp.dll c:\windows\system32\_003393_.tmp.dll c:\windows\system32\_003396_.tmp.dll c:\windows\system32\_003397_.tmp.dll c:\windows\system32\_003401_.tmp.dll c:\windows\system32\_003402_.tmp.dll c:\windows\system32\_003404_.tmp.dll c:\windows\system32\_003407_.tmp.dll c:\windows\system32\_003409_.tmp.dll c:\windows\system32\_003410_.tmp.dll c:\windows\system32\_003411_.tmp.dll c:\windows\system32\_003412_.tmp.dll c:\windows\system32\_003415_.tmp.dll c:\windows\system32\_003416_.tmp.dll c:\windows\system32\_003417_.tmp.dll c:\windows\system32\_003418_.tmp.dll c:\windows\system32\_003419_.tmp.dll c:\windows\system32\_003424_.tmp.dll c:\windows\system32\_003426_.tmp.dll c:\windows\system32\cookie1.dat c:\windows\system32\drivers\UACnqvhtxingxjpxqg.sys c:\windows\system32\tb.dr c:\windows\system32\UACifjfwcdpfnunxbc.dat c:\windows\system32\uacinit.dll c:\windows\system32\UACkbcihutcyidpywo.log c:\windows\system32\UACnlbjhwhehsbehei.dll c:\windows\system32\UACsrrwndmlgfivruv.log c:\windows\system32\UACtolplkttbtsajpe.dll c:\windows\system32\UACuipbqjnlhhikbit.log c:\windows\system32\UACxnjsyidsnwylixx.dll c:\windows\system32\UACxnlafitmxhmbwmh.dll c:\windows\system32\UACyhdaokopeaxpvmv.dll c:\windows\system32\ypmqpcqe.ini c:\windows\wiaserviv.log c:\windows\wiaservv.log ----- BITS: Possible infected sites ----- hxxp://downloadsoftwareserver.com c:\windows\system32\proquota.exe was missing Restored copy from - c:\i386\proquota.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys -------\Legacy_DRIVER -------\Legacy_DRIVERDRV -------\Service_driver -------\Service_driverdrv ((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 ))))))))))))))))))))))))))))))) . 2009-06-19 17:50 . 2004-08-04 11:00 50176 ----a-w- c:\windows\system32\proquota.exe 2009-06-19 17:50 . 2004-08-04 11:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe 2009-06-18 22:25 . 2009-03-05 05:28 89088 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\System32\atl71.dll 2009-06-18 09:29 . 2009-06-18 17:07 117760 ----a-w- c:\documents and settings\Mitch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-06-18 09:29 . 2009-06-18 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-06-18 09:26 . 2009-06-18 09:26 -------- d-----w- c:\documents and settings\Mitch\Application Data\SUPERAntiSpyware.com 2009-06-18 09:26 . 2009-06-18 09:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-06-18 05:19 . 2009-06-18 05:19 -------- d-----w- c:\documents and settings\Nankyung\Local Settings\Application Data\RapidSolution 2009-06-18 05:18 . 2009-06-18 05:18 -------- d-----w- c:\documents and settings\Nankyung\Application Data\WTablet 2009-06-18 02:11 . 2009-06-18 02:11 1 ---h--w- c:\windows\jmmark2.dat 2009-06-17 20:33 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-06-17 10:19 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 10:19 . 2009-06-17 10:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-17 10:19 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-15 07:58 . 2009-06-15 07:58 -------- d-----w- c:\windows\system32\Adobe 2009-06-09 22:03 . 2009-06-09 22:04 -------- d-----w- c:\documents and settings\Mitch\Application Data\ZoomBrowser EX 2009-06-09 07:06 . 2009-06-09 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Ableton 2009-06-09 07:06 . 2009-06-09 07:06 -------- d-----w- c:\documents and settings\Mitch\Application Data\Ableton 2009-05-30 09:13 . 2009-05-30 09:13 -------- d-----w- c:\documents and settings\Mitch\.thumbnails 2009-05-30 05:17 . 2009-05-30 05:17 390664 ----a-w- c:\documents and settings\Mitch\Application Data\Real\RealPlayer\Update\RealPlayer11.exe 2009-05-27 04:38 . 2009-06-19 17:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-19 17:58 . 2009-03-27 05:01 -------- d-----w- c:\documents and settings\Mitch\Application Data\WTablet 2009-06-18 22:27 . 2008-01-06 09:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-06-18 22:26 . 2008-01-06 09:20 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-06-18 22:26 . 2009-06-18 22:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2009-06-18 22:26 . 2009-06-18 22:26 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL 2009-06-18 22:26 . 2009-06-18 22:26 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-06-18 22:26 . 2009-06-18 22:26 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2009-06-18 22:26 . 2008-01-06 09:20 -------- d-----w- c:\program files\Symantec 2009-06-18 05:35 . 2008-01-06 09:20 -------- d-----w- c:\program files\Symantec AntiVirus 2009-06-18 05:19 . 2008-01-05 06:13 41824 ----a-w- c:\documents and settings\Nankyung\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-09 22:04 . 2008-12-20 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser 2009-05-28 04:14 . 2008-01-02 15:19 -------- d-----w- c:\program files\Google 2009-05-20 02:46 . 2008-01-20 05:22 368640 ----a-w- c:\windows\system32\ReWire.dll 2009-05-20 02:46 . 2008-01-20 05:22 233472 ----a-w- c:\windows\system32\REX Shared Library.dll 2009-04-15 05:36 . 2009-04-15 05:36 495616 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\EncodingBackend\lame_enc.dll 2009-04-15 05:10 . 2009-04-15 05:10 466944 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\MusicLoad.dll 2009-04-15 05:10 . 2009-04-15 05:10 197912 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgSoundclick.dll 2009-04-15 05:10 . 2009-04-15 05:10 177432 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgIJigg.dll 2009-04-15 05:10 . 2009-04-15 05:10 169240 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgPandora.dll 2009-04-15 05:10 . 2009-04-15 05:10 136472 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgLastfm.dll 2009-04-15 05:10 . 2009-04-15 05:09 1258776 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\RadioRip.dll 2009-04-11 08:27 . 2008-09-04 07:02 1915520 ----a-w- c:\documents and settings\Mitch\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-02 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-15 8523776] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-12 1015808] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920] "WinampAgent"="c:\apps\sound\Winamp\winampa.exe" [2007-12-20 37376] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896] "LWBMOUSE"="c:\program files\GearHead\Wheel Mouse\5.3\MOUSE32A.EXE" [2002-05-24 357376] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-15 81920] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936] "iTunesHelper"="c:\apps\sound\iTunes_Mitch\iTunesHelper.exe" [2008-09-11 289576] "Acrobat Assistant 7.0"="c:\apps\graphics\2d\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-05 115560] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-01-15 1626112] c:\documents and settings\Mitch\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-19 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-12-16 25214] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-19 113664] Alias SketchBook Snapshot.lnk - c:\apps\graphics\2d\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe [2005-6-3 233472] ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2008-12-19 253952] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\apps\web\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 19:05 356352 ----a-w- c:\apps\web\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\apps\\web\\BitComet\\BitComet.exe"= "c:\\apps\\graphics\\3d\\Autodesk\\Maya2008\\bin\\maya.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\apps\\sound\\iTunes_Mitch\\iTunes.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Quake2\\quake2.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "14074:TCP"= 14074:TCP:BitComet 14074 TCP "14074:UDP"= 14074:UDP:BitComet 14074 UDP "5353:TCP"= 5353:TCP:Adobe CSI CS4 "8085:TCP"= 8085:TCP:driver R1 SASDIFSV;SASDIFSV;c:\apps\web\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968] R1 SASKUTIL;SASKUTIL;c:\apps\web\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944] R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832] R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 1:30 PM 79168] R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [3/26/2009 10:00 PM 1373480] S2 SqtechUsb;SCAN05C/D USB Driver;c:\windows\system32\drivers\Fusb100.sys [3/15/2008 12:05 AM 64769] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/14/2009 11:23 PM 101936] S3 SASENUM;SASENUM;c:\apps\web\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408] S4 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe --> c:\cygwin\bin\cygrunsrv.exe [?] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\apps\programming\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}] c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] . - - - - ORPHANS REMOVED - - - - Notify-dimsntfy - (no file) Notify-NavLogon - (no file) SafeBoot-Symantec Antvirus . ------- Supplementary Scan ------- . uStart Page = hxxp://www.malwarebytes.org/forums/index.php?showtopic=9573 uInternet Settings,ProxyOverride = *.local IE: &D&ownload &with BitComet - c:\apps\web\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\apps\web\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\apps\web\BitComet\BitComet.exe/AddAllLink.htm IE: Convert link target to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 Trusted Zone: turbotax.com . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-19 10:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(584) c:\apps\web\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'explorer.exe'(3464) c:\program files\GearHead\Wheel Mouse\5.3\MOUDL32A.DLL . ------------------------ Other Running Processes ------------------------ . c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PSIService.exe c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\windows\system32\wdfmgr.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\windows\system32\WTablet\Wacom_TabletUser.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-06-19 11:02 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-19 18:02 Pre-Run: 20,351,991,808 bytes free Post-Run: 20,307,562,496 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 337 --- E O F --- 2008-10-14 06:32
  8. Hi, I've been fighting what seems to be a rootkit infection. I read and followed the instructions posted in the sticky topic: I'm infected - What do I do now?... and so now I'm including my HJT log. The general symptoms are: MBAM finds stuff like: Memory Modules Infected: \\?\globalroot\systemroot\system32\UACtolplkttbtsajpe.dll (Trojan.TDSS) -> Delete on reboot. Files Infected: \\?\globalroot\systemroot\system32\UACtolplkttbtsajpe.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot. But the stuff to be deleted on reboot always resurrects itself. I'm hoping the ninjas here can help me eradicate this. Thanks, KM ===BEGIN HJT LOG=== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:38:12 PM, on 6/18/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\apps\sound\Winamp\winampa.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\GearHead\Wheel Mouse\5.3\MOUSE32A.EXE C:\WINDOWS\system32\Wacom_Tablet.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\PowerISO\PWRISOVM.EXE C:\apps\sound\iTunes_{USER}\iTunesHelper.exe C:\apps\graphics\2d\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\apps\graphics\2d\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe C:\apps\web\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080102 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.malwarebytes.org/forums/index.php?showtopic=9573 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080102 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O1 - Hosts: ::1 localhost O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\apps\Utils\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [WinampAgent] C:\apps\sound\Winamp\winampa.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\GearHead\Wheel Mouse\5.3\MOUSE32A.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\apps\sound\iTunes_{USER}\iTunesHelper.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\apps\graphics\2d\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\GODcensoredINGDAMMIT.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\apps\graphics\2d\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe O4 - Global Startup: ImageMixer 3 SE Camera Monitor.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usc.edu O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usc.edu O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: !SASWinLogon - C:\apps\web\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe -- End of file - 13746 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.