What the Tech logo
Welcome! Register for a free account (or login) > How does it work?
  1. Quickly register. It will only take 60 seconds.
  2. Start a new topic. Ask your question. Wait for an email reply.
  3. Is your system infected? Begin reading the malware removal guide.
 register button
3 Pages V  < 1 2 3 >  
 Closed TopicStart new topic
> [Resolved] Win32 - Trojan.Agent/Gen (Trojan.dropper/Win-NV) Removal He
oldman960
post Oct 14 2009, 07:06 AM
Post #16


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,694
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi Greyspce,

Do you have the results for

C:\Program Files\GHL\Self-Installed\stsystra.exe


Please post a new DDS.txt and the Attach.txt

Thanks
Go to the top of the page
 
+Quote Post
greyspace
post Oct 14 2009, 07:49 AM
Post #17


Authentic Member
**

Group: Authentic Member
Posts: 50
Joined: 13-January 04
Member No.: 1,974
Sorry about that, I thoguht that I had included a copy of the third scan. It is below along with the DDS log.

VirSCAN.org Scanned Report :
Scanned time : 2009/10/14 06:34:04 (PDT)
Scanner results: 59% Scanner(22/37) found malware!
File Name : stsystra.exe
File Size : 30720 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0334b4eb4fbfb33c0f821d94bd30c7fa
SHA1 : 6e1e44b0803c70adc6ea5b5b537e6c87c8751722
Online report : http://virscan.org/report/0c21974d3b4907f5...3e2bab54cc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091014103134 2009-10-14 4.13 Trojan-Downloader.Win32.Small!IK
AhnLab V3 2009.10.14.01 2009.10.14 2009-10-14 1.19 Win-Trojan/Downloader.30720.EO
AntiVir 8.2.1.35 7.1.6.109 2009-10-14 0.44 TR/Dldr.Small.kgn
Antiy 2.0.18 20091014.3003440 2009-10-14 0.12 Trojan/Win32.Small.anuu[Downloader]
Arcavir 2009 200910141053 2009-10-14 0.07 Downloader.Small.Kgn
Authentium 5.1.1 200910140109 2009-10-14 1.21 -
AVAST! 4.7.4 091013-0 2009-10-13 0.01 Win32:Malware-gen
AVG 8.5.288 270.14.16/2435 2009-10-14 0.31 Worm/Koobface.K
BitDefender 7.81008.4340639 7.28315 2009-10-14 3.73 Trojan.Generic.2520953
CA (VET) 9.0.0.143 35.1.7065 2009-10-14 9.47 -
ClamAV 0.95.2 9893 2009-10-14 0.01 -
Comodo 3.12 2599 2009-10-13 0.74 -
CP Secure 1.3.0.5 2009.10.14 2009-10-14 0.05 Troj.Downloader.W32.Small.kgn
Dr.Web 4.44.0.9170 2009.10.14 2009-10-14 5.51 Trojan.DownLoad.50126
F-Prot 4.4.4.56 20091013 2009-10-13 1.24 -
F-Secure 7.02.73807 2009.10.14.08 2009-10-14 0.09 Trojan-Downloader.Win32.Small.kgn [AVP]
Fortinet 2.81-3.120 10.941 2009-10-13 0.18 W32/Small.KGN!tr.dldr
GData 19.8393/19.510 20091014 2009-10-14 5.06 Trojan-Downloader.Win32.Small.kgn [Engine:A]
ViRobot 20091013 2009.10.13 2009-10-13 0.43 -
Ikarus T3.1.01.72 2009.10.14.74111 2009-10-14 4.12 Trojan-Downloader.Win32.Small
JiangMin 11.0.800 2009.10.08 2009-10-08 7.71 -
Kaspersky 5.5.10 2009.10.14 2009-10-14 0.06 Trojan-Downloader.Win32.Small.kgn
KingSoft 2009.2.5.15 2009.10.14.18 2009-10-14 0.62 Win32.TrojDownloader.Small.30720
McAfee 5.3.00 5770 2009-10-13 3.38 Generic Downloader.x!bnr
Microsoft 1.5101 2009.10.14 2009-10-14 6.08 -
Norman 6.01.09 6.01.00 2009-10-14 2.00 -
Panda 9.05.01 2009.10.13 2009-10-13 1.73 Trj/Downloader.MDW
Trend Micro 8.700-1004 6.542.01 2009-10-13 0.02 TROJ_AGENT.ZXDG
Quick Heal 10.00 2009.10.14 2009-10-14 1.26 TrojanDownloader.Small.kgn
Rising 20.0 21.51.20.00 2009-10-14 0.88 -
Sophos 3.00.1 4.46 2009-10-14 2.44 -
Sunbelt 5448 5448 2009-10-13 1.57 Trojan.Win32.Generic!BT
Symantec 1.3.0.24 20091013.002 2009-10-13 0.17 -
nProtect 20091013.02 5806236 2009-10-13 7.70 -
The Hacker 6.5.0.2 v00041 2009-10-13 0.80 -
VBA32 3.12.10.11 20091013.1125 2009-10-13 1.86 Trojan-Downloader.Win32.Small.anvv
VirusBuster 4.5.11.10 10.112.67/2004813 2009-10-13 2.50 -


------


DDS (Ver_09-06-26.01) - NTFSx86
Run by GHL at 6:45:35.23 on Wed 10/14/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1462 [GMT -7:00]

AV: avast! antivirus 4.8.1356 [VPS 091013-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\GHL\Self-Installed\Palm\Hotsync.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\GHL\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070403
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: VideoRaptorIePlugin Class: {90c8e8f8-a7c9-41e4-92e4-c679ae6fb78d} - c:\program files\videoraptor\VideoRaptorIePlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\bambite\mbam.exe" /runcleanupscript
mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\ghl\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\ghl\self-installed\palm\Hotsync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\sas\SASWINLO.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\sas\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-7-10 36512]
R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [2009-7-10 39456]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\sas\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\sas\SASKUTIL.SYS [2009-9-15 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-10-10 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-10-9 138680]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-4 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-4 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-12 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-10-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-10-9 352920]
S3 SASENUM;SASENUM;c:\program files\sas\SASENUM.SYS [2009-9-15 7408]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-10-14 00:05 <DIR> --d----- c:\windows\system32\Logs
2009-10-13 03:41 <DIR> --d----- C:\_OTM
2009-10-10 21:10 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-10-10 21:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-10-10 21:10 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-10-10 21:10 <DIR> --d----- c:\program files\ZoneAlarm
2009-10-10 21:10 350,192 a------- c:\windows\system32\vsconfig.xml
2009-10-10 21:08 <DIR> --d----- c:\windows\Internet Logs
2009-10-10 21:08 33,952,648 a------- c:\program files\zaSetup_80_298_000_en.exe
2009-10-10 10:09 236,544 a------- c:\windows\PEV.exe
2009-10-10 10:09 161,792 a------- c:\windows\SWREG.exe
2009-10-10 10:09 98,816 a------- c:\windows\sed.exe
2009-10-10 10:09 <DIR> --d----- C:\Combo-Fix
2009-10-09 23:12 <DIR> --d----- c:\program files\Avast4
2009-10-09 20:58 <DIR> --d----- c:\program files\bambite
2009-10-09 20:54 <DIR> --d----- c:\program files\SAS
2009-10-09 20:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-09 20:24 <DIR> --d----- c:\windows\ERUNT
2009-10-09 20:23 <DIR> --d----- C:\!FixIEDef
2009-10-09 20:00 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-09 19:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 16:33 <DIR> --d----- c:\windows\system32\NtmsData

==================== Find3M ====================

2009-10-13 20:58 48,944 a------- c:\windows\system32\nvModes.dat
2009-10-10 22:16 308,160 a------- c:\program files\avast_home_setup.exe
2009-10-09 19:33 14,336 -------- c:\windows\system32\svchost.exe
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-10 01:11 2,744,087 a------- c:\program files\flac-1.2.1b.exe
2009-09-07 17:47 7,886,336 a------- c:\program files\moto setup.msi
2009-09-07 16:05 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2009-09-07 16:05 28,984 a------- c:\windows\system32\LMIport.dll
2009-09-07 16:05 87,352 a------- c:\windows\system32\LMIinit.dll
2009-09-07 16:05 25,248 a------- c:\windows\system32\LMImirr.dll
2009-09-07 16:05 11,552 a------- c:\windows\system32\LMImirr2.dll
2009-08-13 08:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-01 18:38 6,008,376 a------- c:\program files\ashampoo_burning_studio_6_free_676_4280.exe
2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-28 21:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 21:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-23 10:52 278,221 a------- c:\program files\gmer.zip
2009-07-19 06:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 06:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-11 18:20 265,216 a------- c:\program files\TFC.exe
2009-07-11 18:18 794,112 a------- c:\program files\The_Comedian.exe
2009-07-11 05:50 812,344 a------- c:\program files\HJTInstall.exe
2009-07-10 21:24 5,575,824 a------- c:\program files\CSC_Setup_1.1.64946.38_xp_vista_server2003_x32.exe
2009-07-04 15:26 2,228,534 a------- c:\program files\audacity-win-1.2.6.exe
2009-07-04 11:04 23,442,487 a------- c:\program files\INSTALL.zip
2009-07-04 10:39 2,790,624 a------- c:\program files\x-audio-converter-CNET.exe
2009-07-04 10:27 6,698,028 a------- c:\program files\aaep.exe
2009-07-04 10:23 8,079,082 a------- c:\program files\audioextractor.exe
2009-07-04 10:19 3,176,437 a------- c:\program files\youtubedownloader.exe
2009-07-03 19:41 7,814,384 a------- c:\program files\audiocapture_wmf_setup.exe
2009-07-03 19:30 751,167 a------- c:\program files\sc11a.exe
2009-07-03 19:23 2,813,421 a------- c:\program files\m4a-to-mp3-converter.exe
2009-07-03 18:58 77,690,152 a------- c:\program files\iTunesSetup.exe
2009-07-03 11:34 434,832 a------- c:\program files\switchsetup.exe
2009-07-03 11:31 6,692,753 a------- c:\program files\Setup_FreeConverter.exe
2009-07-03 11:18 21,935,408 a------- c:\program files\QuickTimeInstaller.exe
2009-06-24 07:03 13,905,056 a------- c:\program files\aim6591.exe
2009-04-12 12:32 15,452,536 a------- c:\program files\IE7-WindowsXP-x86-enu.exe

============= FINISH: 6:46:12.29 ===============

Attached File(s)
Attached File  DDSAttach101409.txt ( 16.71K ) Number of downloads: 170
 
Go to the top of the page
 
+Quote Post
oldman960
post Oct 14 2009, 06:45 PM
Post #18


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,694
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi Greyspace,

No problem. It's taking a bit to determine where this is running from and what's legetimate and what's not.

We will remove what we have confirmed and use a different site. to check a couple of files.

We'll use OTM again
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Do Not copy the word CODE note the fix starts with the :
    CODE
    :Processes
    explorer.exe

    :Files
    C:\Program Files\GHL\Self-Installed\stsystra.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
    C:\Program Files\Adobe\acrotray .exe
    C:\Program Files\GHL\Self-Installed\Tunebite
    C:\Program Files\Adobe

    :Commands
    [Reboot]

  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click on this link

Http://www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
c:\windows\system32\ctfmon.exe


scroll down a bit and click "send file", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.

Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield
  • Do not copy the word CODE , please note the script starts with the :
    CODE
    :filefind
    *ISUSPM*
    *nvHotkey*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please post back with
  • OTM log
  • VirusTotal results
  • SystemLook log


Thanks
Go to the top of the page
 
+Quote Post
greyspace
post Oct 14 2009, 07:29 PM
Post #19


Authentic Member
**

Group: Authentic Member
Posts: 50
Joined: 13-January 04
Member No.: 1,974
Hi again, below are the logs. I hope that I copied and pasted the VirusTotal log correctly.

========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\Program Files\GHL\Self-Installed\stsystra.exe moved successfully.
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe moved successfully.
C:\Program Files\Adobe\acrotray .exe moved successfully.
C:\Program Files\GHL\Self-Installed\Tunebite\AutoTag\general moved successfully.
C:\Program Files\GHL\Self-Installed\Tunebite\AutoTag moved successfully.
C:\Program Files\GHL\Self-Installed\Tunebite moved successfully.
C:\Program Files\Adobe\Acrobat 7.0\ActiveX moved successfully.
C:\Program Files\Adobe\Acrobat 7.0 moved successfully.
C:\Program Files\Adobe moved successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.0.0.6 log created on 10142009_180428

Files moved on Reboot...

Registry entries deleted on Reboot...

------------------------------

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.15 -
AhnLab-V3 5.0.0.2 2009.10.14 -
AntiVir 7.9.1.35 2009.10.14 -
Antiy-AVL 2.0.3.7 2009.10.14 -
Authentium 5.1.2.4 2009.10.15 -
Avast 4.8.1351.0 2009.10.14 -
AVG 8.5.0.420 2009.10.14 -
BitDefender 7.2 2009.10.15 -
CAT-QuickHeal 10.00 2009.10.14 -
ClamAV 0.94.1 2009.10.14 -
Comodo 2601 2009.10.15 -
DrWeb 5.0.0.12182 2009.10.14 -
eSafe 7.0.17.0 2009.10.14 -
eTrust-Vet 35.1.7068 2009.10.14 -
F-Prot 4.5.1.85 2009.10.14 -
F-Secure 8.0.14470.0 2009.10.14 -
Fortinet 3.120.0.0 2009.10.15 -
GData 19 2009.10.15 -
Ikarus T3.1.1.72.0 2009.10.15 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.870 2009.10.14 -
Kaspersky 7.0.0.125 2009.10.15 -
McAfee 5771 2009.10.14 -
McAfee+Artemis 5771 2009.10.14 -
McAfee-GW-Edition 6.8.5 2009.10.14 -
Microsoft 1.5101 2009.10.14 -
NOD32 4508 2009.10.14 -
Norman 6.01.09 2009.10.14 -
nProtect 2009.1.8.0 2009.10.14 -
Panda 10.0.2.2 2009.10.15 -
PCTools 4.4.2.0 2009.10.14 -
Prevx 3.0 2009.10.15 -
Rising 21.51.24.00 2009.10.14 -
Sophos 4.46.0 2009.10.15 -
Sunbelt 3.2.1858.2 2009.10.15 -
Symantec 1.4.4.12 2009.10.15 -
TheHacker 6.5.0.2.042 2009.10.14 -
TrendMicro 8.950.0.1094 2009.10.14 -
VBA32 3.12.10.11 2009.10.14 -
ViRobot 2009.10.14.1984 2009.10.14 -
VirusBuster 4.6.5.0 2009.10.14 -
Additional information
File size: 221184 bytes
MD5...: fb9e5c251cf6c37749f296bacb34a69b
SHA1..: 726df7171d5f28f922d6a258cdb6b0c18a257c91
SHA256: d6fad9c7406071291095811d0fecea8940365c8e345d7c099853fce2d1fe4412
ssdeep: 3072:8i9/PQOtzB0SLsw9Sgn+30Ts5xt3b8FlJn9OCJGbc7npCXeiqKIAq:JhoOR
ww9NI5xt3oFlJsn0F

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x16c44
timedatestamp.....: 0x4106ce30 (Tue Jul 27 21:50:40 2004)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x19bea 0x1a000 6.49 6085a26cfd23233b3b236ae2f680907f
.rdata 0x1b000 0x2424 0x3000 4.76 1036fc6e472ca7d05e3ebb707c8502da
.data 0x1e000 0x4108 0x4000 1.74 b3b8f8a7556618eda9a8a2b13ff39f2a
.rsrc 0x23000 0x13100 0x14000 6.43 db19321e4bb6f8a21aee7c2405e1bfb2

( 9 imports )
> KERNEL32.dll: FreeLibrary, GetProcAddress, GetSystemTime, lstrcmpiA, GetPrivateProfileStringA, WritePrivateProfileStringA, CreateProcessA, GetModuleFileNameA, CloseHandle, CreateMutexA, GetCurrentThreadId, CreateEventA, WaitForSingleObject, InitializeCriticalSection, HeapDestroy, DeleteCriticalSection, InterlockedIncrement, InterlockedDecrement, lstrcmpA, LockResource, FreeResource, GlobalHandle, GetShortPathNameA, GetModuleHandleA, MulDiv, TerminateThread, CreateThread, ExitThread, GetDateFormatA, lstrcpynA, CreateDirectoryA, GetStringTypeW, GetStringTypeA, GetOEMCP, GetACP, GlobalFree, GetCPInfo, LCMapStringW, LCMapStringA, WriteFile, TlsGetValue, TlsAlloc, TlsSetValue, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, RtlUnwind, HeapCreate, GetEnvironmentVariableA, VirtualAlloc, VirtualFree, HeapSize, TerminateProcess, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, HeapFree, HeapAlloc, HeapReAlloc, GlobalAlloc, GlobalLock, GlobalUnlock, GetCurrentProcess, FlushInstructionCache, EnterCriticalSection, LeaveCriticalSection, SetEvent, CopyFileA, GetFileAttributesA, GetTickCount, CompareStringW, CompareStringA, lstrlenW, LoadLibraryA, FindResourceExA, FindResourceA, LoadResource, GetVersionExA, GetUserDefaultLangID, lstrcpyA, WideCharToMultiByte, lstrlenA, MultiByteToWideChar, GetLastError, SetLastError, GetWindowsDirectoryA
> USER32.dll: IsWindow, BeginPaint, FillRect, EndPaint, GetFocus, IsChild, SetFocus, GetSysColor, RedrawWindow, GetClassNameA, GetDesktopWindow, CreateAcceleratorTableA, ReleaseCapture, SetCapture, GetParent, ReleaseDC, ScreenToClient, SetWindowPos, DrawTextA, SendMessageA, GetDC, CopyRect, GetClientRect, GetWindowRect, InvalidateRect, ShowWindow, SetWindowTextA, InvalidateRgn, AppendMenuA, GetSystemMenu, SetForegroundWindow, UpdateWindow, SetCursor, PtInRect, SetTimer, LoadBitmapA, GetSysColorBrush, CreateWindowExA, GetDlgItem, wsprintfA, EndDialog, CallWindowProcA, GetWindowTextLengthA, GetWindowTextA, RegisterWindowMessageA, GetClassInfoExA, RegisterClassExA, DialogBoxIndirectParamA, DialogBoxParamA, CreateDialogIndirectParamA, CreateDialogParamA, GetMessageA, MsgWaitForMultipleObjects, GetActiveWindow, FindWindowA, DefWindowProcA, CharLowerA, MessageBoxA, DestroyWindow, EnableWindow, LoadCursorA, SetClassLongA, PostQuitMessage, GetSystemMetrics, LoadImageA, PeekMessageA, IsDialogMessageA, TranslateMessage, DispatchMessageA, GetWindowLongA, GetWindow, SystemParametersInfoA, MapWindowPoints, SetWindowLongA, GetDlgCtrlID
> GDI32.dll: SetBkMode, CreateFontIndirectA, SetTextColor, GetStockObject, GetObjectA, CreateSolidBrush, DeleteObject, CreateCompatibleBitmap, CreateCompatibleDC, BitBlt, DeleteDC, SelectObject, GetDeviceCaps
> ADVAPI32.dll: RegCloseKey, RegOpenKeyExA, RegOpenKeyA, RegSetValueExA, RegCreateKeyExA, RegQueryInfoKeyA, RegEnumValueA, RegQueryValueExA
> SHELL32.dll: Shell_NotifyIconA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, ShellExecuteA
> ole32.dll: OleLockRunning, CoTaskMemAlloc, StringFromCLSID, CoTaskMemFree, CLSIDFromProgID, OleUninitialize, OleInitialize, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, CoCreateInstance, CLSIDFromString
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
> COMCTL32.dll: ImageList_Create, ImageList_Destroy, ImageList_AddMasked, -

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=fb9e5c251cf6c37749f296bacb34a69b' target='_blank'>http://www.threatexpert.com/report.aspx?md5=fb9e5c251cf6c37749f296bacb34a69b</a>
sigcheck:
publisher....: InstallShield Software Corporation
copyright....: Copyright © 1990-2004 InstallShield Software Corporation
product......: InstallShield Update Service
description..: InstallShield Update Service Update Manager
original name: ISUSPM.exe
internal name: ProgramManager
file version.: 3, 10, 100, 1155
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

------------------------------

File ctfmon.exe received on 2009.10.15 01:20:09 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/41 (2.44%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.15 -
AhnLab-V3 5.0.0.2 2009.10.14 -
AntiVir 7.9.1.35 2009.10.14 -
Antiy-AVL 2.0.3.7 2009.10.14 -
Authentium 5.1.2.4 2009.10.15 -
Avast 4.8.1351.0 2009.10.14 -
AVG 8.5.0.420 2009.10.14 -
BitDefender 7.2 2009.10.15 -
CAT-QuickHeal 10.00 2009.10.14 -
ClamAV 0.94.1 2009.10.14 -
Comodo 2601 2009.10.15 -
DrWeb 5.0.0.12182 2009.10.14 -
eSafe 7.0.17.0 2009.10.14 Win32.Banker
eTrust-Vet 35.1.7068 2009.10.14 -
F-Prot 4.5.1.85 2009.10.14 -
F-Secure 8.0.14470.0 2009.10.14 -
Fortinet 3.120.0.0 2009.10.15 -
GData 19 2009.10.15 -
Ikarus T3.1.1.72.0 2009.10.15 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.870 2009.10.14 -
Kaspersky 7.0.0.125 2009.10.15 -
McAfee 5771 2009.10.14 -
McAfee+Artemis 5771 2009.10.14 -
McAfee-GW-Edition 6.8.5 2009.10.14 -
Microsoft 1.5101 2009.10.14 -
NOD32 4508 2009.10.14 -
Norman 6.01.09 2009.10.14 -
nProtect 2009.1.8.0 2009.10.14 -
Panda 10.0.2.2 2009.10.15 -
PCTools 4.4.2.0 2009.10.14 -
Prevx 3.0 2009.10.15 -
Rising 21.51.24.00 2009.10.14 -
Sophos 4.46.0 2009.10.15 -
Sunbelt 3.2.1858.2 2009.10.15 -
Symantec 1.4.4.12 2009.10.15 -
TheHacker 6.5.0.2.042 2009.10.14 -
TrendMicro 8.950.0.1094 2009.10.14 -
VBA32 3.12.10.11 2009.10.14 -
ViRobot 2009.10.14.1984 2009.10.14 -
VirusBuster 4.6.5.0 2009.10.14 -
Additional information
File size: 15360 bytes
MD5...: 5f1d5f88303d4a4dbc8e5f97ba967cc3
SHA1..: 99cb7370f16773c8e2d0c86fe805ec638ab126e9
SHA256: 5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1
ssdeep: 192:W6hGoc4F/MNhlYWpjZ+o7NpO7MIl8SVPTI7mW7rOi7oLG9lMnjmxAITljrUF
E3W3:FA1Eo7NY8MPTIaW7/lumxlJlWDlgW

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2e35
timedatestamp.....: 0x48025356 (Sun Apr 13 18:39:18 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2ab8 0x2c00 6.75 414ce647d4328e7513d4155b1a2c9499
.data 0x4000 0x210 0x200 1.07 bd8c5cd346a9f53dc0dbc69260ab2240
.rsrc 0x5000 0x870 0xa00 3.85 421ca88053c2138f828a915f2a95d754

( 6 imports )
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit
> ADVAPI32.dll: RegDeleteValueA, RegOpenKeyExA, RegCloseKey, RegSetValueExA, RegCreateKeyA, RegCreateKeyExA
> KERNEL32.dll: lstrcpynA, lstrlenA, GetSystemDirectoryA, GetSystemWindowsDirectoryA, GetVersionExA, GetACP, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LocalFree, CloseHandle, ResetEvent, OpenEventA, CreateProcessA, lstrcatA, GetSystemInfo, lstrcmpiA, FreeLibrary, LoadLibraryA, CreateEventA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, LocalAlloc, GetProcAddress
> USER32.dll: EnumWindows, GetClassNameA, FindWindowA, PostMessageA, SetTimer, KillTimer, MsgWaitForMultipleObjects, PeekMessageA, TranslateMessage, DispatchMessageA, GetMessageA, SetWindowPos, LoadCursorA, RegisterClassExA, DefWindowProcA, PostQuitMessage, CreateWindowExA, GetSystemMetrics
> MSCTF.dll: TF_InitSystem, TF_GetGlobalCompartment, TF_InvalidAssemblyListCacheIfExist, TF_InvalidAssemblyListCache, TF_PostAllThreadMsg, TF_CreateCicLoadMutex, TF_UninitSystem
> MSUTB.dll: ClosePopupTipbar, GetPopupTipbar

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=5f1d5f88303d4a4dbc8e5f97ba967cc3' target='_blank'>http://www.threatexpert.com/report.aspx?md5=5f1d5f88303d4a4dbc8e5f97ba967cc3</a>
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: CTF Loader
original name: CTFMON.EXE
internal name: CTFMON
file version.: 5.1.2600.5512 (xpsp.080413-2105)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

------------------

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:25 on 14/10/2009 by GHL (Administrator - Elevation successful)

========== filefind ==========

Searching for "*ISUSPM*"
C:\Documents and Settings\All Users\Application Data\InstallShield\UpdateService\Database\isuspm.ini --a--- 39 bytes [03:13 04/04/2007] [03:13 04/04/2007] 91DC93FD4E697E7E6E26215AA81C2C38
C:\i386\ISUSPM.cpl --a--- 73728 bytes [13:46 16/04/2007] [21:50 27/07/2004] 9BC4B93A567F470FFE7709A8BE39BF00
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe --a--- 221184 bytes [21:50 27/07/2004] [21:50 27/07/2004] FB9E5C251CF6C37749F296BACB34A69B
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup --a--- 30720 bytes [02:33 10/10/2009] [05:22 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe.manifest --a--- 586 bytes [21:47 27/07/2004] [21:47 27/07/2004] F6EDF9703C2B936F96324DC366E19C22
C:\WINDOWS\Prefetch\ISUSPM.EXE-0FE4BBE2.pf --a--- 16798 bytes [11:48 14/10/2009] [01:10 15/10/2009] 752A879003A84544D4C5FF2FA60389FA
C:\WINDOWS\system32\ISUSPM.cpl --a--- 73728 bytes [21:50 27/07/2004] [21:50 27/07/2004] 9BC4B93A567F470FFE7709A8BE39BF00
C:\_OTM\MovedFiles\10142009_180428\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe --a--- 30720 bytes [02:33 10/10/2009] [02:33 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA

Searching for "*nvHotkey*"
C:\drivers\video\addon\nvHotkey.dl_ --a--- 44606 bytes [02:42 04/04/2007] [11:03 21/03/2006] 6523C514B79EB033E0EB31C29BB6BF8A
C:\i386\nvhotkey.dll --a--- 73728 bytes [13:49 16/04/2007] [11:03 21/03/2006] 501346DE4716A3B74029B8955D285CFB
C:\Program Files\GHL\Self-Installed\rundll32.exe nvhotkey.dll,start --a--- 30720 bytes [02:43 10/10/2009] [02:43 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA
C:\Qoobox\Quarantine\C\Documents and Settings\GH\rundll32.exe nvhotkey .exe.vir --a--- 30720 bytes [02:54 10/10/2009] [03:18 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA
C:\WINDOWS\system32\nvhotkey.dll --a--- 73728 bytes [02:42 04/04/2007] [11:03 21/03/2006] 501346DE4716A3B74029B8955D285CFB

-=End Of File=-
Go to the top of the page
 
+Quote Post
oldman960
post Oct 14 2009, 11:49 PM
Post #20


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,694
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi Greyspace,

Good job. We have a couple of more files to remove.

We'll use OTM again
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Do Not copy the word CODE note the fix starts with the :
    CODE
    :Processes
    explorer.exe

    :Files
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup
    C:\Program Files\GHL\Self-Installed\rundll32.exe nvhotkey.dll,start

    :Commands
    [Reboot]

  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Are you aware of this program installed on your computer? LogMeIn

I hate to do this but I'd like you to run another Kaspersky scan the same way you did before.

Please post back with
  • OTM log
  • Kaspersky log
  • new DDS.txt
No need for the Attach.txt this time.

How is the computer?

Thanks
Go to the top of the page
 
+Quote Post
greyspace
post Oct 15 2009, 08:11 AM
Post #21


Authentic Member
**

Group: Authentic Member
Posts: 50
Joined: 13-January 04
Member No.: 1,974
Hi again. For the most part, the computer seems to be running fine. Just still a little worried/paranoid that there is something running on the computer accessing information it shouldn't so it makes me a little hesitant to connect to the internet.

I am aware of the logmein program running. I've used it in the past for remote access.

Below are the log files you requested. Again, thanks so much.




========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup moved successfully.
C:\Program Files\GHL\Self-Installed\rundll32.exe nvhotkey.dll,start moved successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.0.0.6 log created on 10152009_045920

Files moved on Reboot...

Registry entries deleted on Reboot...


--------------------------------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, October 15, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, October 15, 2009 13:39:24
Records in database: 2997891
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 72511
Threats found: 11
Infected objects found: 21
Suspicious objects found: 0
Scan duration: 01:21:58


File name / Threat / Threats count
C:\Program Files\GHL\Self-Installed\LogMeIn.msi Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 2
C:\Qoobox\Quarantine\C\Documents and Settings\GH\rundll32.exe nvhotkey .exe.vir Infected: Trojan-Downloader.Win32.Small.kgn 1
C:\Qoobox\Quarantine\C\Documents and Settings\GH\stsystra .exe.vir Infected: Trojan-Downloader.Win32.Small.kgn 1
C:\Qoobox\Quarantine\C\Documents and Settings\GHL\Application Data\svcst .exe.vir Infected: Trojan.Win32.Vilsel.idd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir Infected: Trojan.HTML.Fraud.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir Infected: Trojan.Win32.Sirefef.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\p0duaad.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir Infected: Trojan.Win32.BHO.abbr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate .exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ftv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ftv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan.Win32.Vilsel.ihc 1
C:\_OTM\MovedFiles\10132009_034113\tixqapi.exe Infected: Trojan.Win32.Agent2.cjge 1
C:\_OTM\MovedFiles\10132009_034113\tixqapi.exe Infected: Trojan.Win32.Agent.cyna 1
C:\_OTM\MovedFiles\10142009_180428\Program Files\Adobe\acrotray .exe Infected: Trojan-Downloader.Win32.Small.kgn 1
C:\_OTM\MovedFiles\10142009_180428\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe Infected: Trojan-Downloader.Win32.Small.kgn 1
C:\_OTM\MovedFiles\10142009_180428\Program Files\GHL\Self-Installed\stsystra.exe Infected: Trojan-Downloader.Win32.Small.kgn 1
C:\_OTM\MovedFiles\10142009_180428\Program Files\GHL\Self-Installed\Tunebite\tunebite .exe Infected: Trojan-Downloader.Win32.Small.kgn 1
C:\_OTM\MovedFiles\10142009_180428\Program Files\GHL\Self-Installed\Tunebite\tunebite.exe -tray Infected: Trojan-Downloader.Win32.Small.kgn 1
C:\_OTM\MovedFiles\10152009_045920\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup Infected: Trojan-Downloader.Win32.Small.kgn 1
C:\_OTM\MovedFiles\10152009_045920\Program Files\GHL\Self-Installed\rundll32.exe nvhotkey.dll,start Infected: Trojan-Downloader.Win32.Small.kgn 1

Selected area has been scanned.


------------------------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by GHL at 7:08:35.56 on Thu 10/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1279 [GMT -7:00]

AV: avast! antivirus 4.8.1356 [VPS 091014-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\GHL\Self-Installed\Palm\Hotsync.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\GHL\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070403
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: VideoRaptorIePlugin Class: {90c8e8f8-a7c9-41e4-92e4-c679ae6fb78d} - c:\program files\videoraptor\VideoRaptorIePlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\bambite\mbam.exe" /runcleanupscript
mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\ghl\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\ghl\self-installed\palm\Hotsync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\sas\SASWINLO.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\sas\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-7-10 36512]
R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [2009-7-10 39456]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\sas\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\sas\SASKUTIL.SYS [2009-9-15 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-10-10 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-10-9 138680]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-4 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-4 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-12 24652]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-10-9 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-10-9 352920]
S3 SASENUM;SASENUM;c:\program files\sas\SASENUM.SYS [2009-9-15 7408]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-10-14 00:05 <DIR> --d----- c:\windows\system32\Logs
2009-10-13 03:41 <DIR> --d----- C:\_OTM
2009-10-10 21:10 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-10-10 21:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-10-10 21:10 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-10-10 21:10 <DIR> --d----- c:\program files\ZoneAlarm
2009-10-10 21:10 350,192 a------- c:\windows\system32\vsconfig.xml
2009-10-10 21:08 <DIR> --d----- c:\windows\Internet Logs
2009-10-10 21:08 33,952,648 a------- c:\program files\zaSetup_80_298_000_en.exe
2009-10-10 10:09 236,544 a------- c:\windows\PEV.exe
2009-10-10 10:09 161,792 a------- c:\windows\SWREG.exe
2009-10-10 10:09 98,816 a------- c:\windows\sed.exe
2009-10-10 10:09 <DIR> --d----- C:\Combo-Fix
2009-10-09 23:12 <DIR> --d----- c:\program files\Avast4
2009-10-09 20:58 <DIR> --d----- c:\program files\bambite
2009-10-09 20:54 <DIR> --d----- c:\program files\SAS
2009-10-09 20:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-09 20:24 <DIR> --d----- c:\windows\ERUNT
2009-10-09 20:23 <DIR> --d----- C:\!FixIEDef
2009-10-09 20:00 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-09 19:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 16:33 <DIR> --d----- c:\windows\system32\NtmsData

==================== Find3M ====================

2009-10-13 20:58 48,944 a------- c:\windows\system32\nvModes.dat
2009-10-10 22:16 308,160 a------- c:\program files\avast_home_setup.exe
2009-10-09 19:33 14,336 -------- c:\windows\system32\svchost.exe
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-10 01:11 2,744,087 a------- c:\program files\flac-1.2.1b.exe
2009-09-07 17:47 7,886,336 a------- c:\program files\moto setup.msi
2009-09-07 16:05 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2009-09-07 16:05 28,984 a------- c:\windows\system32\LMIport.dll
2009-09-07 16:05 87,352 a------- c:\windows\system32\LMIinit.dll
2009-09-07 16:05 25,248 a------- c:\windows\system32\LMImirr.dll
2009-09-07 16:05 11,552 a------- c:\windows\system32\LMImirr2.dll
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-13 08:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 08:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 08:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 07:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 07:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 07:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-01 18:38 6,008,376 a------- c:\program files\ashampoo_burning_studio_6_free_676_4280.exe
2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-28 21:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 21:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-23 10:52 278,221 a------- c:\program files\gmer.zip
2009-07-19 06:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 06:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-11 18:20 265,216 a------- c:\program files\TFC.exe
2009-07-11 18:18 794,112 a------- c:\program files\The_Comedian.exe
2009-07-11 05:50 812,344 a------- c:\program files\HJTInstall.exe
2009-07-10 21:24 5,575,824 a------- c:\program files\CSC_Setup_1.1.64946.38_xp_vista_server2003_x32.exe
2009-07-04 15:26 2,228,534 a------- c:\program files\audacity-win-1.2.6.exe
2009-07-04 11:04 23,442,487 a------- c:\program files\INSTALL.zip
2009-07-04 10:39 2,790,624 a------- c:\program files\x-audio-converter-CNET.exe
2009-07-04 10:27 6,698,028 a------- c:\program files\aaep.exe
2009-07-04 10:23 8,079,082 a------- c:\program files\audioextractor.exe
2009-07-04 10:19 3,176,437 a------- c:\program files\youtubedownloader.exe
2009-07-03 19:41 7,814,384 a------- c:\program files\audiocapture_wmf_setup.exe
2009-07-03 19:30 751,167 a------- c:\program files\sc11a.exe
2009-07-03 19:23 2,813,421 a------- c:\program files\m4a-to-mp3-converter.exe
2009-07-03 18:58 77,690,152 a------- c:\program files\iTunesSetup.exe
2009-07-03 11:34 434,832 a------- c:\program files\switchsetup.exe
2009-07-03 11:31 6,692,753 a------- c:\program files\Setup_FreeConverter.exe
2009-07-03 11:18 21,935,408 a------- c:\program files\QuickTimeInstaller.exe
2009-06-24 07:03 13,905,056 a------- c:\program files\aim6591.exe
2009-04-12 12:32 15,452,536 a------- c:\program files\IE7-WindowsXP-x86-enu.exe

============= FINISH: 7:08:59.90 ===============
Go to the top of the page
 
+Quote Post
greyspace
post Oct 15 2009, 03:05 PM
Post #22


Authentic Member
**

Group: Authentic Member
Posts: 50
Joined: 13-January 04
Member No.: 1,974
By the way, one thing I did notice on the computer is that it has buttons on the front of it for volume, CD/DVD playback, etc. I used to be able to mute, lower or raise the volume by pressing these buttons, etc. and when I would do that, I'd get a display that would show up so I could see it was working and now that doesn't seem to work.

This post has been edited by greyspace: Oct 15 2009, 03:24 PM
Go to the top of the page
 
+Quote Post
oldman960
post Oct 15 2009, 06:36 PM
Post #23


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,694
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi Greyspace,

Your logs are clean, no malware left. The Kaspersky detections are files we have quarantined and LogMeIn, which it detected as "riskware". Not a problem as long as you knowingly installed it. We will remove the quarantined files shortly.

QUOTE
it has buttons on the front of it for volume, CD/DVD playback, etc.

When did you first notice the missing display?

Please post the contents of this file

C:\Qoobox\ComboFix-quarantined-files.txt

Thanks
Go to the top of the page
 
+Quote Post
greyspace
post Oct 15 2009, 06:54 PM
Post #24


Authentic Member
**

Group: Authentic Member
Posts: 50
Joined: 13-January 04
Member No.: 1,974
I first noticed the missing display yesterday. Prior to that it had been working.

Below is the log you requested. Thanks so much.



2009-10-12 10:50:48 . 2009-10-12 10:50:48 162 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-SUPERAntiSpyware.reg.dat
2009-10-10 03:43:37 . 2009-10-10 03:43:37 182 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Corel Photo Downloader.reg.dat
2009-10-10 03:43:35 . 2009-10-10 03:43:35 302 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Dell QuickSet.reg.dat
2009-10-10 02:54:10 . 2009-10-10 03:18:37 30,720 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\GH\stsystra .exe.vir
2009-10-10 02:54:07 . 2009-10-10 03:18:34 30,720 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\GH\rundll32.exe nvhotkey .exe.vir
2009-10-10 02:36:24 . 2009-10-10 03:18:17 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\win32k.sys.vir
2009-10-10 02:33:54 . 2009-10-10 02:33:54 46 ----a-w- C:\Qoobox\Quarantine\C\p2hhr.bat.vir
2009-10-10 02:33:51 . 2009-10-10 02:33:58 458,209 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\AVR09.exe.vir
2009-10-10 02:33:43 . 2009-10-10 02:50:03 14 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\GHL\Application Data\iniasd.txt.vir
2009-10-10 02:33:33 . 2009-10-10 02:49:44 22,528 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir
2009-10-10 02:33:29 . 2009-10-10 02:49:31 831 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir
2009-10-10 02:33:26 . 2009-10-10 02:33:21 24,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate .exe.vir
2009-10-10 02:33:26 . 2009-10-10 02:33:21 24,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir
2009-10-10 02:33:15 . 2009-10-10 02:33:15 15,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\p0duaad.dll.vir
2009-10-10 02:33:13 . 2009-10-10 02:33:12 306,688 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\GHL\Application Data\svcst .exe.vir
2009-10-10 02:33:06 . 2009-10-10 02:33:12 351,232 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
2009-07-28 10:22:45 . 2009-07-28 10:22:45 91 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat
2009-07-28 10:13:49 . 2009-07-28 10:13:49 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}.reg.dat
2009-07-28 10:13:49 . 2009-10-10 03:37:58 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}.reg.dat
2009-07-28 10:13:44 . 2009-10-14 00:17:26 7,502 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-07-28 10:04:39 . 2009-10-14 00:10:19 541 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-04-24 19:29:02 . 2009-04-24 19:29:02 9,013,760 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\a94995.msp.vir
2008-01-29 02:09:04 . 2008-01-29 02:09:04 5,055,488 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\43058.msp.vir
2004-08-11 22:00:41 . 2008-04-14 00:12:16 15,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ctfmon .exe.vir
2004-08-11 22:00:25 . 2009-02-09 12:10:48 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1a34734.msi.vir
2004-08-11 22:00:13 . 2008-04-14 00:11:53 61,952 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
Go to the top of the page
 
+Quote Post
oldman960
post Oct 15 2009, 10:24 PM
Post #25


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,694
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi Greyspace,

It looks like combofix removed the registry entry as an orphan the first time you used it. The file appeared to be infected, perhaps the infected file was removed by MBAM in an earlier run or your AV.

We'll have a look for the file and make sure there is a clean copy. Use SystemLook again with this script

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield
  • Do not copy the word CODE , please note the script starts with the :
    CODE
    :filefind
    *QuickSet*
    *syntpenh*
    *pwrisovm*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks
Go to the top of the page
 
+Quote Post
greyspace
post Oct 16 2009, 04:23 AM
Post #26


Authentic Member
**

Group: Authentic Member
Posts: 50
Joined: 13-January 04
Member No.: 1,974
Hi again, here is the log:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 03:22 on 16/10/2009 by GHL (Administrator - Elevation successful)

No Context: filefind

No Context: *QuickSet*

No Context: *syntpenh*

No Context: *pwrisovm*

-=End Of File=-
Go to the top of the page
 
+Quote Post
oldman960
post Oct 16 2009, 06:30 AM
Post #27


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,694
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi Greyspace,

It looks like you missed the : at the begining of the script. Please run it again ensuring it starts with the colon.

Thanks
Go to the top of the page
 
+Quote Post
greyspace
post Oct 16 2009, 04:20 PM
Post #28


Authentic Member
**

Group: Authentic Member
Posts: 50
Joined: 13-January 04
Member No.: 1,974
Sorry about that. Below is the log:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 15:17 on 16/10/2009 by GHL (Administrator - Elevation successful)

========== filefind ==========

Searching for "*QuickSet*"
C:\Documents and Settings\All Users\Start Menu\Programs\Dell QuickSet\QuickSet.lnk --a--- 527 bytes [03:09 04/04/2007] [03:09 04/04/2007] C36DAC2A1097A6FE9BC5CF39C787C25C
C:\Program Files\Dell\QuickSet\quickset .exe --a--- 1032192 bytes [03:09 04/04/2007] [23:51 03/08/2006] A2DC1E0E4C74D5D9598E18B2FDC7CEE4
C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Dell QuickSet.reg.dat --a--- 302 bytes [03:43 10/10/2009] [03:43 10/10/2009] 07807469DBA8A2B3D9BA80EAF29C393A

Searching for "*syntpenh*"
C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe ------ 761947 bytes [03:09 04/04/2007] [16:48 08/03/2006] ABB85828C394CEACACBC90373C59C529
C:\Program Files\Synaptics\SynTP\syntpenh .exe --a--- 761947 bytes [03:09 04/04/2007] [16:48 08/03/2006] ABB85828C394CEACACBC90373C59C529

Searching for "*pwrisovm*"
C:\Program Files\GHL\Self-Installed\PowerISO\pwrisovm .exe --a--- 180224 bytes [10:15 15/03/2009] [10:15 15/03/2009] 953A4E72A339BCE0068BFCBE5D8584F1

-=End Of File=-
Go to the top of the page
 
+Quote Post
oldman960
post Oct 16 2009, 07:32 PM
Post #29


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,694
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi Greyspace,

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE


CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"


    Ensure there is no space above the REGEDIT4.
  • ensure the text matches including the space between lines
  • in notepad go to FILE > SAVE AS and in the dropdown box, set the top box SAVE IN to DESKTOP
  • in the FILE NAME box type (including the " " marks), "fix.reg"
Click save.

This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Reboot your computer. Everything ok now?

Please post a new HJT log.

Thanks
Go to the top of the page
 
+Quote Post
greyspace
post Oct 16 2009, 08:52 PM
Post #30


Authentic Member
**

Group: Authentic Member
Posts: 50
Joined: 13-January 04
Member No.: 1,974
Hi there. I tried your suggestion with the fix.reg but it didn't seem to work.

Here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:50 PM, on 10/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\GHL\Self-Installed\Palm\Hotsync.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070403
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: VideoRaptorIePlugin Class - {90C8E8F8-A7C9-41E4-92E4-C679AE6FB78D} - C:\Program Files\Videoraptor\VideoRaptorIePlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\bambite\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\GHL\Self-Installed\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11321 bytes
Go to the top of the page
 
+Quote Post
« Next Oldest · Infections Removal · Next Newest »
 

3 Pages V  < 1 2 3 >
Closed TopicStart new topic

 
RSS Time is now: 14th March 2010 - 10:23 AM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2010  IPS, Inc.