Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Win32 - Trojan.Agent/Gen (Trojan.dropper/Win-NV) Removal He

Started by greyspace , Oct 10 2009 11:04 PM

  • This topic is locked This topic is locked
41 replies to this topic

#16 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 14 October 2009 - 07:06 AM

Hi Greyspce,

Do you have the results for

C:\Program Files\GHL\Self-Installed\stsystra.exe


Please post a new DDS.txt and the Attach.txt

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove

#17 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 14 October 2009 - 07:49 AM

Sorry about that, I thoguht that I had included a copy of the third scan. It is below along with the DDS log.

VirSCAN.org Scanned Report :
Scanned time : 2009/10/14 06:34:04 (PDT)
Scanner results: 59% Scanner(22/37) found malware!
File Name : stsystra.exe
File Size : 30720 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0334b4eb4fbfb33c0f821d94bd30c7fa
SHA1 : 6e1e44b0803c70adc6ea5b5b537e6c87c8751722
Online report : http://virscan.org/r...3e2bab54cc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091014103134 2009-10-14 4.13 Trojan-Downloader.Win32.Small!IK
AhnLab V3 2009.10.14.01 2009.10.14 2009-10-14 1.19 Win-Trojan/Downloader.30720.EO
AntiVir 8.2.1.35 7.1.6.109 2009-10-14 0.44 TR/Dldr.Small.kgn
Antiy 2.0.18 20091014.3003440 2009-10-14 0.12 Trojan/Win32.Small.anuu[Downloader]
Arcavir 2009 200910141053 2009-10-14 0.07 Downloader.Small.Kgn
Authentium 5.1.1 200910140109 2009-10-14 1.21 -
AVAST! 4.7.4 091013-0 2009-10-13 0.01 Win32:Malware-gen
AVG 8.5.288 270.14.16/2435 2009-10-14 0.31 Worm/Koobface.K
BitDefender 7.81008.4340639 7.28315 2009-10-14 3.73 Trojan.Generic.2520953
CA (VET) 9.0.0.143 35.1.7065 2009-10-14 9.47 -
ClamAV 0.95.2 9893 2009-10-14 0.01 -
Comodo 3.12 2599 2009-10-13 0.74 -
CP Secure 1.3.0.5 2009.10.14 2009-10-14 0.05 Troj.Downloader.W32.Small.kgn
Dr.Web 4.44.0.9170 2009.10.14 2009-10-14 5.51 Trojan.DownLoad.50126
F-Prot 4.4.4.56 20091013 2009-10-13 1.24 -
F-Secure 7.02.73807 2009.10.14.08 2009-10-14 0.09 Trojan-Downloader.Win32.Small.kgn [AVP]
Fortinet 2.81-3.120 10.941 2009-10-13 0.18 W32/Small.KGN!tr.dldr
GData 19.8393/19.510 20091014 2009-10-14 5.06 Trojan-Downloader.Win32.Small.kgn [Engine:A]
ViRobot 20091013 2009.10.13 2009-10-13 0.43 -
Ikarus T3.1.01.72 2009.10.14.74111 2009-10-14 4.12 Trojan-Downloader.Win32.Small
JiangMin 11.0.800 2009.10.08 2009-10-08 7.71 -
Kaspersky 5.5.10 2009.10.14 2009-10-14 0.06 Trojan-Downloader.Win32.Small.kgn
KingSoft 2009.2.5.15 2009.10.14.18 2009-10-14 0.62 Win32.TrojDownloader.Small.30720
McAfee 5.3.00 5770 2009-10-13 3.38 Generic Downloader.x!bnr
Microsoft 1.5101 2009.10.14 2009-10-14 6.08 -
Norman 6.01.09 6.01.00 2009-10-14 2.00 -
Panda 9.05.01 2009.10.13 2009-10-13 1.73 Trj/Downloader.MDW
Trend Micro 8.700-1004 6.542.01 2009-10-13 0.02 TROJ_AGENT.ZXDG
Quick Heal 10.00 2009.10.14 2009-10-14 1.26 TrojanDownloader.Small.kgn
Rising 20.0 21.51.20.00 2009-10-14 0.88 -
Sophos 3.00.1 4.46 2009-10-14 2.44 -
Sunbelt 5448 5448 2009-10-13 1.57 Trojan.Win32.Generic!BT
Symantec 1.3.0.24 20091013.002 2009-10-13 0.17 -
nProtect 20091013.02 5806236 2009-10-13 7.70 -
The Hacker 6.5.0.2 v00041 2009-10-13 0.80 -
VBA32 3.12.10.11 20091013.1125 2009-10-13 1.86 Trojan-Downloader.Win32.Small.anvv
VirusBuster 4.5.11.10 10.112.67/2004813 2009-10-13 2.50 -


------


DDS (Ver_09-06-26.01) - NTFSx86
Run by GHL at 6:45:35.23 on Wed 10/14/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1462 [GMT -7:00]

AV: avast! antivirus 4.8.1356 [VPS 091013-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\GHL\Self-Installed\Palm\Hotsync.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\GHL\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070403
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: VideoRaptorIePlugin Class: {90c8e8f8-a7c9-41e4-92e4-c679ae6fb78d} - c:\program files\videoraptor\VideoRaptorIePlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\bambite\mbam.exe" /runcleanupscript
mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\ghl\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\ghl\self-installed\palm\Hotsync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\sas\SASWINLO.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\sas\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-7-10 36512]
R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [2009-7-10 39456]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\sas\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\sas\SASKUTIL.SYS [2009-9-15 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-10-10 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-10-9 138680]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-4 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-4 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-12 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-10-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-10-9 352920]
S3 SASENUM;SASENUM;c:\program files\sas\SASENUM.SYS [2009-9-15 7408]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-10-14 00:05 <DIR> --d----- c:\windows\system32\Logs
2009-10-13 03:41 <DIR> --d----- C:\_OTM
2009-10-10 21:10 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-10-10 21:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-10-10 21:10 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-10-10 21:10 <DIR> --d----- c:\program files\ZoneAlarm
2009-10-10 21:10 350,192 a------- c:\windows\system32\vsconfig.xml
2009-10-10 21:08 <DIR> --d----- c:\windows\Internet Logs
2009-10-10 21:08 33,952,648 a------- c:\program files\zaSetup_80_298_000_en.exe
2009-10-10 10:09 236,544 a------- c:\windows\PEV.exe
2009-10-10 10:09 161,792 a------- c:\windows\SWREG.exe
2009-10-10 10:09 98,816 a------- c:\windows\sed.exe
2009-10-10 10:09 <DIR> --d----- C:\Combo-Fix
2009-10-09 23:12 <DIR> --d----- c:\program files\Avast4
2009-10-09 20:58 <DIR> --d----- c:\program files\bambite
2009-10-09 20:54 <DIR> --d----- c:\program files\SAS
2009-10-09 20:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-09 20:24 <DIR> --d----- c:\windows\ERUNT
2009-10-09 20:23 <DIR> --d----- C:\!FixIEDef
2009-10-09 20:00 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-09 19:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 16:33 <DIR> --d----- c:\windows\system32\NtmsData

==================== Find3M ====================

2009-10-13 20:58 48,944 a------- c:\windows\system32\nvModes.dat
2009-10-10 22:16 308,160 a------- c:\program files\avast_home_setup.exe
2009-10-09 19:33 14,336 -------- c:\windows\system32\svchost.exe
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-10 01:11 2,744,087 a------- c:\program files\flac-1.2.1b.exe
2009-09-07 17:47 7,886,336 a------- c:\program files\moto setup.msi
2009-09-07 16:05 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2009-09-07 16:05 28,984 a------- c:\windows\system32\LMIport.dll
2009-09-07 16:05 87,352 a------- c:\windows\system32\LMIinit.dll
2009-09-07 16:05 25,248 a------- c:\windows\system32\LMImirr.dll
2009-09-07 16:05 11,552 a------- c:\windows\system32\LMImirr2.dll
2009-08-13 08:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-01 18:38 6,008,376 a------- c:\program files\ashampoo_burning_studio_6_free_676_4280.exe
2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-28 21:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 21:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-23 10:52 278,221 a------- c:\program files\gmer.zip
2009-07-19 06:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 06:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-11 18:20 265,216 a------- c:\program files\TFC.exe
2009-07-11 18:18 794,112 a------- c:\program files\The_Comedian.exe
2009-07-11 05:50 812,344 a------- c:\program files\HJTInstall.exe
2009-07-10 21:24 5,575,824 a------- c:\program files\CSC_Setup_1.1.64946.38_xp_vista_server2003_x32.exe
2009-07-04 15:26 2,228,534 a------- c:\program files\audacity-win-1.2.6.exe
2009-07-04 11:04 23,442,487 a------- c:\program files\INSTALL.zip
2009-07-04 10:39 2,790,624 a------- c:\program files\x-audio-converter-CNET.exe
2009-07-04 10:27 6,698,028 a------- c:\program files\aaep.exe
2009-07-04 10:23 8,079,082 a------- c:\program files\audioextractor.exe
2009-07-04 10:19 3,176,437 a------- c:\program files\youtubedownloader.exe
2009-07-03 19:41 7,814,384 a------- c:\program files\audiocapture_wmf_setup.exe
2009-07-03 19:30 751,167 a------- c:\program files\sc11a.exe
2009-07-03 19:23 2,813,421 a------- c:\program files\m4a-to-mp3-converter.exe
2009-07-03 18:58 77,690,152 a------- c:\program files\iTunesSetup.exe
2009-07-03 11:34 434,832 a------- c:\program files\switchsetup.exe
2009-07-03 11:31 6,692,753 a------- c:\program files\Setup_FreeConverter.exe
2009-07-03 11:18 21,935,408 a------- c:\program files\QuickTimeInstaller.exe
2009-06-24 07:03 13,905,056 a------- c:\program files\aim6591.exe
2009-04-12 12:32 15,452,536 a------- c:\program files\IE7-WindowsXP-x86-enu.exe

============= FINISH: 6:46:12.29 ===============

Attached Files


#18 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 14 October 2009 - 06:45 PM

Hi Greyspace,

No problem. It's taking a bit to determine where this is running from and what's legetimate and what's not.

We will remove what we have confirmed and use a different site. to check a couple of files.

We'll use OTM again
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Do Not copy the word CODE note the fix starts with the :
    :Processes
explorer.exe

:Files
C:\Program Files\GHL\Self-Installed\stsystra.exe 
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Adobe\acrotray .exe
C:\Program Files\GHL\Self-Installed\Tunebite
C:\Program Files\Adobe

:Commands
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click on this link

Http://www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
c:\windows\system32\ctfmon.exe


scroll down a bit and click "send file", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.

Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield
  • Do not copy the word CODE , please note the script starts with the :
    :filefind
*ISUSPM*
*nvHotkey*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please post back with
  • OTM log
  • VirusTotal results
  • SystemLook log

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#19 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 14 October 2009 - 07:29 PM

Hi again, below are the logs. I hope that I copied and pasted the VirusTotal log correctly. ========== PROCESSES ========== Process explorer.exe killed successfully! ========== FILES ========== C:\Program Files\GHL\Self-Installed\stsystra.exe moved successfully. C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe moved successfully. C:\Program Files\Adobe\acrotray .exe moved successfully. C:\Program Files\GHL\Self-Installed\Tunebite\AutoTag\general moved successfully. C:\Program Files\GHL\Self-Installed\Tunebite\AutoTag moved successfully. C:\Program Files\GHL\Self-Installed\Tunebite moved successfully. C:\Program Files\Adobe\Acrobat 7.0\ActiveX moved successfully. C:\Program Files\Adobe\Acrobat 7.0 moved successfully. C:\Program Files\Adobe moved successfully. ========== COMMANDS ========== OTM by OldTimer - Version 3.0.0.6 log created on 10142009_180428 Files moved on Reboot... Registry entries deleted on Reboot... ------------------------------ Antivirus Version Last Update Result a-squared 4.5.0.41 2009.10.15 - AhnLab-V3 5.0.0.2 2009.10.14 - AntiVir 7.9.1.35 2009.10.14 - Antiy-AVL 2.0.3.7 2009.10.14 - Authentium 5.1.2.4 2009.10.15 - Avast 4.8.1351.0 2009.10.14 - AVG 8.5.0.420 2009.10.14 - BitDefender 7.2 2009.10.15 - CAT-QuickHeal 10.00 2009.10.14 - ClamAV 0.94.1 2009.10.14 - Comodo 2601 2009.10.15 - DrWeb 5.0.0.12182 2009.10.14 - eSafe 7.0.17.0 2009.10.14 - eTrust-Vet 35.1.7068 2009.10.14 - F-Prot 4.5.1.85 2009.10.14 - F-Secure 8.0.14470.0 2009.10.14 - Fortinet 3.120.0.0 2009.10.15 - GData 19 2009.10.15 - Ikarus T3.1.1.72.0 2009.10.15 - Jiangmin 11.0.800 2009.10.08 - K7AntiVirus 7.10.870 2009.10.14 - Kaspersky 7.0.0.125 2009.10.15 - McAfee 5771 2009.10.14 - McAfee+Artemis 5771 2009.10.14 - McAfee-GW-Edition 6.8.5 2009.10.14 - Microsoft 1.5101 2009.10.14 - NOD32 4508 2009.10.14 - Norman 6.01.09 2009.10.14 - nProtect 2009.1.8.0 2009.10.14 - Panda 10.0.2.2 2009.10.15 - PCTools 4.4.2.0 2009.10.14 - Prevx 3.0 2009.10.15 - Rising 21.51.24.00 2009.10.14 - Sophos 4.46.0 2009.10.15 - Sunbelt 3.2.1858.2 2009.10.15 - Symantec 1.4.4.12 2009.10.15 - TheHacker 6.5.0.2.042 2009.10.14 - TrendMicro 8.950.0.1094 2009.10.14 - VBA32 3.12.10.11 2009.10.14 - ViRobot 2009.10.14.1984 2009.10.14 - VirusBuster 4.6.5.0 2009.10.14 - Additional information File size: 221184 bytes MD5...: fb9e5c251cf6c37749f296bacb34a69b SHA1..: 726df7171d5f28f922d6a258cdb6b0c18a257c91 SHA256: d6fad9c7406071291095811d0fecea8940365c8e345d7c099853fce2d1fe4412 ssdeep: 3072:8i9/PQOtzB0SLsw9Sgn+30Ts5xt3b8FlJn9OCJGbc7npCXeiqKIAq:JhoOR ww9NI5xt3oFlJsn0F PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x16c44 timedatestamp.....: 0x4106ce30 (Tue Jul 27 21:50:40 2004) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x19bea 0x1a000 6.49 6085a26cfd23233b3b236ae2f680907f .rdata 0x1b000 0x2424 0x3000 4.76 1036fc6e472ca7d05e3ebb707c8502da .data 0x1e000 0x4108 0x4000 1.74 b3b8f8a7556618eda9a8a2b13ff39f2a .rsrc 0x23000 0x13100 0x14000 6.43 db19321e4bb6f8a21aee7c2405e1bfb2 ( 9 imports ) > KERNEL32.dll: FreeLibrary, GetProcAddress, GetSystemTime, lstrcmpiA, GetPrivateProfileStringA, WritePrivateProfileStringA, CreateProcessA, GetModuleFileNameA, CloseHandle, CreateMutexA, GetCurrentThreadId, CreateEventA, WaitForSingleObject, InitializeCriticalSection, HeapDestroy, DeleteCriticalSection, InterlockedIncrement, InterlockedDecrement, lstrcmpA, LockResource, FreeResource, GlobalHandle, GetShortPathNameA, GetModuleHandleA, MulDiv, TerminateThread, CreateThread, ExitThread, GetDateFormatA, lstrcpynA, CreateDirectoryA, GetStringTypeW, GetStringTypeA, GetOEMCP, GetACP, GlobalFree, GetCPInfo, LCMapStringW, LCMapStringA, WriteFile, TlsGetValue, TlsAlloc, TlsSetValue, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, RtlUnwind, HeapCreate, GetEnvironmentVariableA, VirtualAlloc, VirtualFree, HeapSize, TerminateProcess, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, HeapFree, HeapAlloc, HeapReAlloc, GlobalAlloc, GlobalLock, GlobalUnlock, GetCurrentProcess, FlushInstructionCache, EnterCriticalSection, LeaveCriticalSection, SetEvent, CopyFileA, GetFileAttributesA, GetTickCount, CompareStringW, CompareStringA, lstrlenW, LoadLibraryA, FindResourceExA, FindResourceA, LoadResource, GetVersionExA, GetUserDefaultLangID, lstrcpyA, WideCharToMultiByte, lstrlenA, MultiByteToWideChar, GetLastError, SetLastError, GetWindowsDirectoryA > USER32.dll: IsWindow, BeginPaint, FillRect, EndPaint, GetFocus, IsChild, SetFocus, GetSysColor, RedrawWindow, GetClassNameA, GetDesktopWindow, CreateAcceleratorTableA, ReleaseCapture, SetCapture, GetParent, ReleaseDC, ScreenToClient, SetWindowPos, DrawTextA, SendMessageA, GetDC, CopyRect, GetClientRect, GetWindowRect, InvalidateRect, ShowWindow, SetWindowTextA, InvalidateRgn, AppendMenuA, GetSystemMenu, SetForegroundWindow, UpdateWindow, SetCursor, PtInRect, SetTimer, LoadBitmapA, GetSysColorBrush, CreateWindowExA, GetDlgItem, wsprintfA, EndDialog, CallWindowProcA, GetWindowTextLengthA, GetWindowTextA, RegisterWindowMessageA, GetClassInfoExA, RegisterClassExA, DialogBoxIndirectParamA, DialogBoxParamA, CreateDialogIndirectParamA, CreateDialogParamA, GetMessageA, MsgWaitForMultipleObjects, GetActiveWindow, FindWindowA, DefWindowProcA, CharLowerA, MessageBoxA, DestroyWindow, EnableWindow, LoadCursorA, SetClassLongA, PostQuitMessage, GetSystemMetrics, LoadImageA, PeekMessageA, IsDialogMessageA, TranslateMessage, DispatchMessageA, GetWindowLongA, GetWindow, SystemParametersInfoA, MapWindowPoints, SetWindowLongA, GetDlgCtrlID > GDI32.dll: SetBkMode, CreateFontIndirectA, SetTextColor, GetStockObject, GetObjectA, CreateSolidBrush, DeleteObject, CreateCompatibleBitmap, CreateCompatibleDC, BitBlt, DeleteDC, SelectObject, GetDeviceCaps > ADVAPI32.dll: RegCloseKey, RegOpenKeyExA, RegOpenKeyA, RegSetValueExA, RegCreateKeyExA, RegQueryInfoKeyA, RegEnumValueA, RegQueryValueExA > SHELL32.dll: Shell_NotifyIconA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, ShellExecuteA > ole32.dll: OleLockRunning, CoTaskMemAlloc, StringFromCLSID, CoTaskMemFree, CLSIDFromProgID, OleUninitialize, OleInitialize, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, CoCreateInstance, CLSIDFromString > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, - > VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA > COMCTL32.dll: ImageList_Create, ImageList_Destroy, ImageList_AddMasked, - ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) ThreatExpert info: <a href='http://www.threatexp...9f296bacb34a69b' target='_blank'>http://www.threatexp...6bacb34a69b</a> sigcheck: publisher....: InstallShield Software Corporation copyright....: Copyright © 1990-2004 InstallShield Software Corporation product......: InstallShield Update Service description..: InstallShield Update Service Update Manager original name: ISUSPM.exe internal name: ProgramManager file version.: 3, 10, 100, 1155 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned ------------------------------ File ctfmon.exe received on 2009.10.15 01:20:09 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 1/41 (2.44%) Loading server information... Your file is queued in position: 1. Estimated start time is between 40 and 57 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.41 2009.10.15 - AhnLab-V3 5.0.0.2 2009.10.14 - AntiVir 7.9.1.35 2009.10.14 - Antiy-AVL 2.0.3.7 2009.10.14 - Authentium 5.1.2.4 2009.10.15 - Avast 4.8.1351.0 2009.10.14 - AVG 8.5.0.420 2009.10.14 - BitDefender 7.2 2009.10.15 - CAT-QuickHeal 10.00 2009.10.14 - ClamAV 0.94.1 2009.10.14 - Comodo 2601 2009.10.15 - DrWeb 5.0.0.12182 2009.10.14 - eSafe 7.0.17.0 2009.10.14 Win32.Banker eTrust-Vet 35.1.7068 2009.10.14 - F-Prot 4.5.1.85 2009.10.14 - F-Secure 8.0.14470.0 2009.10.14 - Fortinet 3.120.0.0 2009.10.15 - GData 19 2009.10.15 - Ikarus T3.1.1.72.0 2009.10.15 - Jiangmin 11.0.800 2009.10.08 - K7AntiVirus 7.10.870 2009.10.14 - Kaspersky 7.0.0.125 2009.10.15 - McAfee 5771 2009.10.14 - McAfee+Artemis 5771 2009.10.14 - McAfee-GW-Edition 6.8.5 2009.10.14 - Microsoft 1.5101 2009.10.14 - NOD32 4508 2009.10.14 - Norman 6.01.09 2009.10.14 - nProtect 2009.1.8.0 2009.10.14 - Panda 10.0.2.2 2009.10.15 - PCTools 4.4.2.0 2009.10.14 - Prevx 3.0 2009.10.15 - Rising 21.51.24.00 2009.10.14 - Sophos 4.46.0 2009.10.15 - Sunbelt 3.2.1858.2 2009.10.15 - Symantec 1.4.4.12 2009.10.15 - TheHacker 6.5.0.2.042 2009.10.14 - TrendMicro 8.950.0.1094 2009.10.14 - VBA32 3.12.10.11 2009.10.14 - ViRobot 2009.10.14.1984 2009.10.14 - VirusBuster 4.6.5.0 2009.10.14 - Additional information File size: 15360 bytes MD5...: 5f1d5f88303d4a4dbc8e5f97ba967cc3 SHA1..: 99cb7370f16773c8e2d0c86fe805ec638ab126e9 SHA256: 5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1 ssdeep: 192:W6hGoc4F/MNhlYWpjZ+o7NpO7MIl8SVPTI7mW7rOi7oLG9lMnjmxAITljrUF E3W3:FA1Eo7NY8MPTIaW7/lumxlJlWDlgW PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x2e35 timedatestamp.....: 0x48025356 (Sun Apr 13 18:39:18 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x2ab8 0x2c00 6.75 414ce647d4328e7513d4155b1a2c9499 .data 0x4000 0x210 0x200 1.07 bd8c5cd346a9f53dc0dbc69260ab2240 .rsrc 0x5000 0x870 0xa00 3.85 421ca88053c2138f828a915f2a95d754 ( 6 imports ) > msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit > ADVAPI32.dll: RegDeleteValueA, RegOpenKeyExA, RegCloseKey, RegSetValueExA, RegCreateKeyA, RegCreateKeyExA > KERNEL32.dll: lstrcpynA, lstrlenA, GetSystemDirectoryA, GetSystemWindowsDirectoryA, GetVersionExA, GetACP, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LocalFree, CloseHandle, ResetEvent, OpenEventA, CreateProcessA, lstrcatA, GetSystemInfo, lstrcmpiA, FreeLibrary, LoadLibraryA, CreateEventA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, LocalAlloc, GetProcAddress > USER32.dll: EnumWindows, GetClassNameA, FindWindowA, PostMessageA, SetTimer, KillTimer, MsgWaitForMultipleObjects, PeekMessageA, TranslateMessage, DispatchMessageA, GetMessageA, SetWindowPos, LoadCursorA, RegisterClassExA, DefWindowProcA, PostQuitMessage, CreateWindowExA, GetSystemMetrics > MSCTF.dll: TF_InitSystem, TF_GetGlobalCompartment, TF_InvalidAssemblyListCacheIfExist, TF_InvalidAssemblyListCache, TF_PostAllThreadMsg, TF_CreateCicLoadMutex, TF_UninitSystem > MSUTB.dll: ClosePopupTipbar, GetPopupTipbar ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - ThreatExpert info: <a href='http://www.threatexp...c8e5f97ba967cc3' target='_blank'>http://www.threatexp...f97ba967cc3</a> sigcheck: publisher....: Microsoft Corporation copyright....: © Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: CTF Loader original name: CTFMON.EXE internal name: CTFMON file version.: 5.1.2600.5512 (xpsp.080413-2105) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) ------------------ SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 18:25 on 14/10/2009 by GHL (Administrator - Elevation successful) ========== filefind ========== Searching for "*ISUSPM*" C:\Documents and Settings\All Users\Application Data\InstallShield\UpdateService\Database\isuspm.ini --a--- 39 bytes [03:13 04/04/2007] [03:13 04/04/2007] 91DC93FD4E697E7E6E26215AA81C2C38 C:\i386\ISUSPM.cpl --a--- 73728 bytes [13:46 16/04/2007] [21:50 27/07/2004] 9BC4B93A567F470FFE7709A8BE39BF00 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe --a--- 221184 bytes [21:50 27/07/2004] [21:50 27/07/2004] FB9E5C251CF6C37749F296BACB34A69B C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup --a--- 30720 bytes [02:33 10/10/2009] [05:22 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe.manifest --a--- 586 bytes [21:47 27/07/2004] [21:47 27/07/2004] F6EDF9703C2B936F96324DC366E19C22 C:\WINDOWS\Prefetch\ISUSPM.EXE-0FE4BBE2.pf --a--- 16798 bytes [11:48 14/10/2009] [01:10 15/10/2009] 752A879003A84544D4C5FF2FA60389FA C:\WINDOWS\system32\ISUSPM.cpl --a--- 73728 bytes [21:50 27/07/2004] [21:50 27/07/2004] 9BC4B93A567F470FFE7709A8BE39BF00 C:\_OTM\MovedFiles\10142009_180428\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe --a--- 30720 bytes [02:33 10/10/2009] [02:33 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA Searching for "*nvHotkey*" C:\drivers\video\addon\nvHotkey.dl_ --a--- 44606 bytes [02:42 04/04/2007] [11:03 21/03/2006] 6523C514B79EB033E0EB31C29BB6BF8A C:\i386\nvhotkey.dll --a--- 73728 bytes [13:49 16/04/2007] [11:03 21/03/2006] 501346DE4716A3B74029B8955D285CFB C:\Program Files\GHL\Self-Installed\rundll32.exe nvhotkey.dll,start --a--- 30720 bytes [02:43 10/10/2009] [02:43 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA C:\Qoobox\Quarantine\C\Documents and Settings\GH\rundll32.exe nvhotkey .exe.vir --a--- 30720 bytes [02:54 10/10/2009] [03:18 10/10/2009] 0334B4EB4FBFB33C0F821D94BD30C7FA C:\WINDOWS\system32\nvhotkey.dll --a--- 73728 bytes [02:42 04/04/2007] [11:03 21/03/2006] 501346DE4716A3B74029B8955D285CFB -=End Of File=-

#20 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 14 October 2009 - 11:49 PM

Hi Greyspace,

Good job. We have a couple of more files to remove.

We'll use OTM again
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Do Not copy the word CODE note the fix starts with the :
    :Processes
explorer.exe

:Files
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup 
C:\Program Files\GHL\Self-Installed\rundll32.exe nvhotkey.dll,start 

:Commands
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Are you aware of this program installed on your computer? LogMeIn

I hate to do this but I'd like you to run another Kaspersky scan the same way you did before.

Please post back with
  • OTM log
  • Kaspersky log
  • new DDS.txt
No need for the Attach.txt this time.

How is the computer?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#21 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 15 October 2009 - 08:11 AM

Hi again. For the most part, the computer seems to be running fine. Just still a little worried/paranoid that there is something running on the computer accessing information it shouldn't so it makes me a little hesitant to connect to the internet. I am aware of the logmein program running. I've used it in the past for remote access. Below are the log files you requested. Again, thanks so much. ========== PROCESSES ========== Process explorer.exe killed successfully! ========== FILES ========== C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup moved successfully. C:\Program Files\GHL\Self-Installed\rundll32.exe nvhotkey.dll,start moved successfully. ========== COMMANDS ========== OTM by OldTimer - Version 3.0.0.6 log created on 10152009_045920 Files moved on Reboot... Registry entries deleted on Reboot... -------------------------------------------------------------------------- -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Thursday, October 15, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Thursday, October 15, 2009 13:39:24 Records in database: 2997891 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Objects scanned: 72511 Threats found: 11 Infected objects found: 21 Suspicious objects found: 0 Scan duration: 01:21:58 File name / Threat / Threats count C:\Program Files\GHL\Self-Installed\LogMeIn.msi Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 2 C:\Qoobox\Quarantine\C\Documents and Settings\GH\rundll32.exe nvhotkey .exe.vir Infected: Trojan-Downloader.Win32.Small.kgn 1 C:\Qoobox\Quarantine\C\Documents and Settings\GH\stsystra .exe.vir Infected: Trojan-Downloader.Win32.Small.kgn 1 C:\Qoobox\Quarantine\C\Documents and Settings\GHL\Application Data\svcst .exe.vir Infected: Trojan.Win32.Vilsel.idd 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir Infected: Trojan.HTML.Fraud.b 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir Infected: Trojan.Win32.Sirefef.a 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\p0duaad.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir Infected: Trojan.Win32.BHO.abbr 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate .exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ftv 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ftv 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan.Win32.Vilsel.ihc 1 C:\_OTM\MovedFiles\10132009_034113\tixqapi.exe Infected: Trojan.Win32.Agent2.cjge 1 C:\_OTM\MovedFiles\10132009_034113\tixqapi.exe Infected: Trojan.Win32.Agent.cyna 1 C:\_OTM\MovedFiles\10142009_180428\Program Files\Adobe\acrotray .exe Infected: Trojan-Downloader.Win32.Small.kgn 1 C:\_OTM\MovedFiles\10142009_180428\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe Infected: Trojan-Downloader.Win32.Small.kgn 1 C:\_OTM\MovedFiles\10142009_180428\Program Files\GHL\Self-Installed\stsystra.exe Infected: Trojan-Downloader.Win32.Small.kgn 1 C:\_OTM\MovedFiles\10142009_180428\Program Files\GHL\Self-Installed\Tunebite\tunebite .exe Infected: Trojan-Downloader.Win32.Small.kgn 1 C:\_OTM\MovedFiles\10142009_180428\Program Files\GHL\Self-Installed\Tunebite\tunebite.exe -tray Infected: Trojan-Downloader.Win32.Small.kgn 1 C:\_OTM\MovedFiles\10152009_045920\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup Infected: Trojan-Downloader.Win32.Small.kgn 1 C:\_OTM\MovedFiles\10152009_045920\Program Files\GHL\Self-Installed\rundll32.exe nvhotkey.dll,start Infected: Trojan-Downloader.Win32.Small.kgn 1 Selected area has been scanned. ------------------------------------------ DDS (Ver_09-06-26.01) - NTFSx86 Run by GHL at 7:08:35.56 on Thu 10/15/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1279 [GMT -7:00] AV: avast! antivirus 4.8.1356 [VPS 091014-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe svchost.exe svchost.exe C:\Program Files\Avast4\aswUpdSv.exe C:\Program Files\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\notepad.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\stsystra.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\GHL\Self-Installed\Palm\Hotsync.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Java\jre6\bin\java.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\GHL\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070403 BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: VideoRaptorIePlugin Class: {90c8e8f8-a7c9-41e4-92e4-c679ae6fb78d} - c:\program files\videoraptor\VideoRaptorIePlugin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /installquiet mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe" mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\bambite\mbam.exe" /runcleanupscript mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe" mRun: [avast!] c:\progra~1\avast4\ashDisp.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\ghl\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\ghl\self-installed\palm\Hotsync.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Notify: !SASWinLogon - c:\program files\sas\SASWINLO.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\sas\SASSEH.DLL ============= SERVICES / DRIVERS =============== R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-7-10 36512] R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [2009-7-10 39456] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-10 114768] R1 SASDIFSV;SASDIFSV;c:\program files\sas\sasdifsv.sys [2009-9-15 9968] R1 SASKUTIL;SASKUTIL;c:\program files\sas\SASKUTIL.SYS [2009-9-15 74480] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-10-10 353672] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-10 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-10-9 138680] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-4 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-4 47640] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-12 24652] S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-10-9 254040] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-10-9 352920] S3 SASENUM;SASENUM;c:\program files\sas\SASENUM.SYS [2009-9-15 7408] S4 LMIRfsClientNP;LMIRfsClientNP; [x] =============== Created Last 30 ================ 2009-10-14 00:05 <DIR> --d----- c:\windows\system32\Logs 2009-10-13 03:41 <DIR> --d----- C:\_OTM 2009-10-10 21:10 4,212 a---h--- c:\windows\system32\zllictbl.dat 2009-10-10 21:10 1,221,512 a------- c:\windows\system32\zpeng25.dll 2009-10-10 21:10 <DIR> --d----- c:\windows\system32\ZoneLabs 2009-10-10 21:10 <DIR> --d----- c:\program files\ZoneAlarm 2009-10-10 21:10 350,192 a------- c:\windows\system32\vsconfig.xml 2009-10-10 21:08 <DIR> --d----- c:\windows\Internet Logs 2009-10-10 21:08 33,952,648 a------- c:\program files\zaSetup_80_298_000_en.exe 2009-10-10 10:09 236,544 a------- c:\windows\PEV.exe 2009-10-10 10:09 161,792 a------- c:\windows\SWREG.exe 2009-10-10 10:09 98,816 a------- c:\windows\sed.exe 2009-10-10 10:09 <DIR> --d----- C:\Combo-Fix 2009-10-09 23:12 <DIR> --d----- c:\program files\Avast4 2009-10-09 20:58 <DIR> --d----- c:\program files\bambite 2009-10-09 20:54 <DIR> --d----- c:\program files\SAS 2009-10-09 20:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2009-10-09 20:24 <DIR> --d----- c:\windows\ERUNT 2009-10-09 20:23 <DIR> --d----- C:\!FixIEDef 2009-10-09 20:00 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-10-09 19:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-09-30 16:33 <DIR> --d----- c:\windows\system32\NtmsData ==================== Find3M ==================== 2009-10-13 20:58 48,944 a------- c:\windows\system32\nvModes.dat 2009-10-10 22:16 308,160 a------- c:\program files\avast_home_setup.exe 2009-10-09 19:33 14,336 -------- c:\windows\system32\svchost.exe 2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-09-10 01:11 2,744,087 a------- c:\program files\flac-1.2.1b.exe 2009-09-07 17:47 7,886,336 a------- c:\program files\moto setup.msi 2009-09-07 16:05 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll 2009-09-07 16:05 28,984 a------- c:\windows\system32\LMIport.dll 2009-09-07 16:05 87,352 a------- c:\windows\system32\LMIinit.dll 2009-09-07 16:05 25,248 a------- c:\windows\system32\LMImirr.dll 2009-09-07 16:05 11,552 a------- c:\windows\system32\LMImirr2.dll 2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL 2009-08-13 08:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll 2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll 2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll 2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll 2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe 2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll 2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll 2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll 2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll 2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll 2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-08-04 08:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe 2009-08-04 08:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-08-04 07:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe 2009-08-04 07:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-08-04 07:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-08-01 18:38 6,008,376 a------- c:\program files\ashampoo_burning_studio_6_free_676_4280.exe 2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll 2009-07-28 21:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll 2009-07-28 21:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-23 10:52 278,221 a------- c:\program files\gmer.zip 2009-07-19 06:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll 2009-07-19 06:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll 2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll 2009-07-11 18:20 265,216 a------- c:\program files\TFC.exe 2009-07-11 18:18 794,112 a------- c:\program files\The_Comedian.exe 2009-07-11 05:50 812,344 a------- c:\program files\HJTInstall.exe 2009-07-10 21:24 5,575,824 a------- c:\program files\CSC_Setup_1.1.64946.38_xp_vista_server2003_x32.exe 2009-07-04 15:26 2,228,534 a------- c:\program files\audacity-win-1.2.6.exe 2009-07-04 11:04 23,442,487 a------- c:\program files\INSTALL.zip 2009-07-04 10:39 2,790,624 a------- c:\program files\x-audio-converter-CNET.exe 2009-07-04 10:27 6,698,028 a------- c:\program files\aaep.exe 2009-07-04 10:23 8,079,082 a------- c:\program files\audioextractor.exe 2009-07-04 10:19 3,176,437 a------- c:\program files\youtubedownloader.exe 2009-07-03 19:41 7,814,384 a------- c:\program files\audiocapture_wmf_setup.exe 2009-07-03 19:30 751,167 a------- c:\program files\sc11a.exe 2009-07-03 19:23 2,813,421 a------- c:\program files\m4a-to-mp3-converter.exe 2009-07-03 18:58 77,690,152 a------- c:\program files\iTunesSetup.exe 2009-07-03 11:34 434,832 a------- c:\program files\switchsetup.exe 2009-07-03 11:31 6,692,753 a------- c:\program files\Setup_FreeConverter.exe 2009-07-03 11:18 21,935,408 a------- c:\program files\QuickTimeInstaller.exe 2009-06-24 07:03 13,905,056 a------- c:\program files\aim6591.exe 2009-04-12 12:32 15,452,536 a------- c:\program files\IE7-WindowsXP-x86-enu.exe ============= FINISH: 7:08:59.90 ===============

#22 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 15 October 2009 - 03:05 PM

By the way, one thing I did notice on the computer is that it has buttons on the front of it for volume, CD/DVD playback, etc. I used to be able to mute, lower or raise the volume by pressing these buttons, etc. and when I would do that, I'd get a display that would show up so I could see it was working and now that doesn't seem to work.

Edited by greyspace, 15 October 2009 - 03:24 PM.

#23 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 15 October 2009 - 06:36 PM

Hi Greyspace,

Your logs are clean, no malware left. The Kaspersky detections are files we have quarantined and LogMeIn, which it detected as "riskware". Not a problem as long as you knowingly installed it. We will remove the quarantined files shortly.

it has buttons on the front of it for volume, CD/DVD playback, etc.

When did you first notice the missing display?

Please post the contents of this file

C:\Qoobox\ComboFix-quarantined-files.txt

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#24 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 15 October 2009 - 06:54 PM

I first noticed the missing display yesterday. Prior to that it had been working. Below is the log you requested. Thanks so much. 2009-10-12 10:50:48 . 2009-10-12 10:50:48 162 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-SUPERAntiSpyware.reg.dat 2009-10-10 03:43:37 . 2009-10-10 03:43:37 182 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Corel Photo Downloader.reg.dat 2009-10-10 03:43:35 . 2009-10-10 03:43:35 302 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Dell QuickSet.reg.dat 2009-10-10 02:54:10 . 2009-10-10 03:18:37 30,720 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\GH\stsystra .exe.vir 2009-10-10 02:54:07 . 2009-10-10 03:18:34 30,720 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\GH\rundll32.exe nvhotkey .exe.vir 2009-10-10 02:36:24 . 2009-10-10 03:18:17 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\win32k.sys.vir 2009-10-10 02:33:54 . 2009-10-10 02:33:54 46 ----a-w- C:\Qoobox\Quarantine\C\p2hhr.bat.vir 2009-10-10 02:33:51 . 2009-10-10 02:33:58 458,209 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\AVR09.exe.vir 2009-10-10 02:33:43 . 2009-10-10 02:50:03 14 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\GHL\Application Data\iniasd.txt.vir 2009-10-10 02:33:33 . 2009-10-10 02:49:44 22,528 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir 2009-10-10 02:33:29 . 2009-10-10 02:49:31 831 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir 2009-10-10 02:33:26 . 2009-10-10 02:33:21 24,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate .exe.vir 2009-10-10 02:33:26 . 2009-10-10 02:33:21 24,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir 2009-10-10 02:33:15 . 2009-10-10 02:33:15 15,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\p0duaad.dll.vir 2009-10-10 02:33:13 . 2009-10-10 02:33:12 306,688 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\GHL\Application Data\svcst .exe.vir 2009-10-10 02:33:06 . 2009-10-10 02:33:12 351,232 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir 2009-07-28 10:22:45 . 2009-07-28 10:22:45 91 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat 2009-07-28 10:13:49 . 2009-07-28 10:13:49 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}.reg.dat 2009-07-28 10:13:49 . 2009-10-10 03:37:58 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}.reg.dat 2009-07-28 10:13:44 . 2009-10-14 00:17:26 7,502 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-07-28 10:04:39 . 2009-10-14 00:10:19 541 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-04-24 19:29:02 . 2009-04-24 19:29:02 9,013,760 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\a94995.msp.vir 2008-01-29 02:09:04 . 2008-01-29 02:09:04 5,055,488 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\43058.msp.vir 2004-08-11 22:00:41 . 2008-04-14 00:12:16 15,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ctfmon .exe.vir 2004-08-11 22:00:25 . 2009-02-09 12:10:48 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1a34734.msi.vir 2004-08-11 22:00:13 . 2008-04-14 00:11:53 61,952 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir

#25 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 15 October 2009 - 10:24 PM

Hi Greyspace,

It looks like combofix removed the registry entry as an orphan the first time you used it. The file appeared to be infected, perhaps the infected file was removed by MBAM in an earlier run or your AV.

We'll have a look for the file and make sure there is a clean copy. Use SystemLook again with this script

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield
  • Do not copy the word CODE , please note the script starts with the :
    :filefind
*QuickSet*
*syntpenh*
*pwrisovm*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove

#26 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 16 October 2009 - 04:23 AM

Hi again, here is the log: SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 03:22 on 16/10/2009 by GHL (Administrator - Elevation successful) No Context: filefind No Context: *QuickSet* No Context: *syntpenh* No Context: *pwrisovm* -=End Of File=-

#27 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 16 October 2009 - 06:30 AM

Hi Greyspace,

It looks like you missed the : at the begining of the script. Please run it again ensuring it starts with the colon.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#28 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 16 October 2009 - 04:20 PM

Sorry about that. Below is the log: SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 15:17 on 16/10/2009 by GHL (Administrator - Elevation successful) ========== filefind ========== Searching for "*QuickSet*" C:\Documents and Settings\All Users\Start Menu\Programs\Dell QuickSet\QuickSet.lnk --a--- 527 bytes [03:09 04/04/2007] [03:09 04/04/2007] C36DAC2A1097A6FE9BC5CF39C787C25C C:\Program Files\Dell\QuickSet\quickset .exe --a--- 1032192 bytes [03:09 04/04/2007] [23:51 03/08/2006] A2DC1E0E4C74D5D9598E18B2FDC7CEE4 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Dell QuickSet.reg.dat --a--- 302 bytes [03:43 10/10/2009] [03:43 10/10/2009] 07807469DBA8A2B3D9BA80EAF29C393A Searching for "*syntpenh*" C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe ------ 761947 bytes [03:09 04/04/2007] [16:48 08/03/2006] ABB85828C394CEACACBC90373C59C529 C:\Program Files\Synaptics\SynTP\syntpenh .exe --a--- 761947 bytes [03:09 04/04/2007] [16:48 08/03/2006] ABB85828C394CEACACBC90373C59C529 Searching for "*pwrisovm*" C:\Program Files\GHL\Self-Installed\PowerISO\pwrisovm .exe --a--- 180224 bytes [10:15 15/03/2009] [10:15 15/03/2009] 953A4E72A339BCE0068BFCBE5D8584F1 -=End Of File=-

#29 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 16 October 2009 - 07:32 PM

Hi Greyspace,

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"

  • Ensure there is no space above the REGEDIT4.
  • ensure the text matches including the space between lines
  • in notepad go to FILE > SAVE AS and in the dropdown box, set the top box SAVE IN to DESKTOP
  • in the FILE NAME box type (including the " " marks), "fix.reg"
Click save.

This will create a fix.reg file on your desktop Posted Image

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Reboot your computer. Everything ok now?

Please post a new HJT log.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#30 greyspace

greyspace

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 16 October 2009 - 08:52 PM

Hi there. I tried your suggestion with the fix.reg but it didn't seem to work.

Here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:50 PM, on 10/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\GHL\Self-Installed\Palm\Hotsync.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070403
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: VideoRaptorIePlugin Class - {90C8E8F8-A7C9-41E4-92E4-C679AE6FB78D} - C:\Program Files\Videoraptor\VideoRaptorIePlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\bambite\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\GHL\Self-Installed\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.aka...vex-2.2.4.1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebo...oUploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11321 bytes

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·