Hi Dave - Great to hear from you - the forums are very busy and I really appreciate the offer to help me with my system challenges. Attached below are the two reports you wished. Look forward to hearing back from you at your earliest convenience.
Again thanks!!!!
ComboFix 08-06-05.3 - Len Pinto 2008-06-06 10:03:11.1 - NTFSx86
Running from: C:\Documents and Settings\Len Pinto\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\egao.exe
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\aKlUEfhk.ini
C:\WINDOWS\system32\aKlUEfhk.ini2
C:\WINDOWS\system32\ayfdgqhh.dll
C:\WINDOWS\system32\BayGQqss.ini
C:\WINDOWS\system32\BayGQqss.ini2
C:\WINDOWS\system32\BJlVwGgh.ini
C:\WINDOWS\system32\BJlVwGgh.ini2
C:\WINDOWS\system32\brovxclx.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\cJRXaccf.ini
C:\WINDOWS\system32\cJRXaccf.ini2
C:\WINDOWS\system32\crqpabli.dll
C:\WINDOWS\system32\dgchtfjj.ini
C:\WINDOWS\system32\dijmiket.ini
C:\WINDOWS\system32\domgqlgg.dll
C:\WINDOWS\system32\eioppkfy.ini
C:\WINDOWS\system32\fqjswiht.ini
C:\WINDOWS\system32\gglqgmod.ini
C:\WINDOWS\system32\hhqgdfya.ini
C:\WINDOWS\system32\ilbapqrc.ini
C:\WINDOWS\system32\jjfthcgd.dll
C:\WINDOWS\system32\kexjlpgn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ngpljxek.dll
C:\WINDOWS\system32\ngxwqefp.dll
C:\WINDOWS\system32\nqwmkdpy.dll
C:\WINDOWS\system32\OUuCKRqr.ini
C:\WINDOWS\system32\OUuCKRqr.ini2
C:\WINDOWS\system32\pfeqwxgn.ini
C:\WINDOWS\system32\PprAyyay.ini
C:\WINDOWS\system32\PprAyyay.ini2
C:\WINDOWS\system32\pWvyHRqr.ini
C:\WINDOWS\system32\pWvyHRqr.ini2
C:\WINDOWS\system32\qvvitiny.dll
C:\WINDOWS\system32\qWEMWvut.ini
C:\WINDOWS\system32\qWEMWvut.ini2
C:\WINDOWS\system32\rlsaeior.ini
C:\WINDOWS\system32\svvEMnnn.ini
C:\WINDOWS\system32\svvEMnnn.ini2
C:\WINDOWS\system32\tekimjid.dll
C:\WINDOWS\system32\tflwdmtd.ini
C:\WINDOWS\system32\VDLoYcdd.ini
C:\WINDOWS\system32\VDLoYcdd.ini2
C:\WINDOWS\system32\wDeOUBeg.ini
C:\WINDOWS\system32\wDeOUBeg.ini2
C:\WINDOWS\system32\xlcxvorb.ini
C:\WINDOWS\system32\yayaXoPG.dll
C:\WINDOWS\system32\yayyArpP.dll
C:\WINDOWS\system32\yfkppoie.dll
C:\WINDOWS\system32\ynitivvq.ini
C:\WINDOWS\system32\ypdkmwqn.ini
C:\WINDOWS\xmpstean.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.
2008-06-06 08:59 . 2008-06-06 08:59 93,056 --a------ C:\WINDOWS\system32\roieaslr.dll
2008-06-05 08:57 . 2008-06-05 08:57 95,232 --a------ C:\WINDOWS\system32\dtmdwlft.dll
2008-06-04 08:57 . 2008-06-04 08:57 95,232 --a------ C:\WINDOWS\system32\thiwsjqf.dll
2008-06-03 11:22 . 2008-06-03 11:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-03 11:22 . 2008-06-03 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 23:16 . 2008-06-06 09:36 <DIR> d-------- C:\spywarevanisher-full
2008-06-01 23:16 . 2008-06-01 23:16 724,992 --a------ C:\WINDOWS\iun6002.exe
2008-06-01 21:25 . 2008-06-01 21:25 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-06-01 14:01 . 2008-06-01 14:01 324,864 --a------ C:\WINDOWS\system32\Spy_File_geBUOeDw.dll
2008-06-01 13:58 . 2008-06-01 13:58 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-01 13:27 . 2008-06-01 13:27 <DIR> d-------- C:\VundoFix Backups
2008-05-30 08:54 . 2008-05-30 08:55 75,808 --a------ C:\BACKUP.svf
2008-05-29 00:33 . 2008-05-29 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-28 16:22 . 2008-05-28 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 17:58 . 2008-06-01 12:35 763 --a------ C:\WINDOWS\wininit.ini
2008-05-22 16:28 . 2007-01-31 13:45 127,376 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2008-05-22 16:28 . 2007-01-31 13:45 101,904 --a------ C:\WINDOWS\system32\dneinobj.dll
2008-05-22 16:27 . 2008-05-22 16:27 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-05-22 16:27 . 2008-05-22 16:27 <DIR> d-------- C:\Program Files\Cisco Systems
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-06 13:36 . 2008-06-06 09:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 16:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-06 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-05 21:00 --------- d-----w C:\Program Files\Configuration
2008-06-03 17:54 --------- d-----w C:\Program Files\Trusted Sites
2008-05-30 20:44 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-30 20:35 --------- d-----w C:\Program Files\Lavasoft
2008-05-30 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-30 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 15:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Retrospect
2008-05-23 00:39 --------- d-----w C:\Documents and Settings\Len Pinto\Application Data\U3
2008-05-16 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-14 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-05 19:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 22:03 --------- d-----w C:\Program Files\Financial Advisory Service
2008-04-06 19:02 --------- d-----w C:\Program Files\HP
2007-07-18 19:06 28,672 ----a-w C:\Documents and Settings\Len Pinto\atwbxdet.dll
2006-07-14 23:53 61,928 -c--a-w C:\Documents and Settings\Len Pinto\Application Data\GDIPFONTCACHEV1.DAT
2006-04-26 15:31 211,383 -c--a-w C:\Program Files\INSTALL.LOG
2006-04-21 02:35 29,604 ----a-w C:\Program Files\Windows XPTrustedsitesSPApril06.vbs
2005-11-15 23:32 3,638 ----a-r C:\Program Files\Common Files\Altiris_Icon.ico
2004-09-01 18:22 68,096 ------w C:\Documents and Settings\Len Pinto\hodprint.dll
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl]
@={ba930330-a721-11d3-a7b9-00500464ee16}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl2]
@={2030D939-54A7-4fea-9B06-49EA77EFC87F}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Spyware Vanisher"="C:\spywarevanisher-full\SpywareVanisher.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SGEConfiguration"="C:\Program Files\Utimaco\SafeGuard Easy\SGEConfigurations.bat" [2007-01-31 20:22 380]
"EdWizard"="C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" [2006-09-22 16:01 245760]
"SgeEcView"="C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe" [2006-09-22 16:06 24576]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 21:50 111952]
"RunningApp"="C:\Program Files\Configuration\shared\Runningapp.vbs" [2007-11-09 04:54 194]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 16:06 136512]
"AltirisConfiguration"="C:\Program Files\Configuration\ConfigCheck\ScheduleConfig.vbs" [2007-09-10 21:50 515]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-03-12 07:57 3067904]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-07-16 11:58:04 1544984]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
SGLogEx.dll 2002-01-22 15:28 110592 C:\WINDOWS\system32\SGLogEx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 12:01 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
SGLogNotification.dll 2005-03-31 11:27 69632 C:\WINDOWS\system32\SGLogNotification.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk.disabled
backup=C:\WINDOWS\pss\Desktop Manager.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FTP Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FTP Utility.lnk
backup=C:\WINDOWS\pss\FTP Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=C:\WINDOWS\pss\Install Pending Files.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ION Backup Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ION Backup Tool.lnk
backup=C:\WINDOWS\pss\ION Backup Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINDOWS\pss\Microsoft Office.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Len Pinto^Start Menu^Programs^Startup^MotionBased Agent.lnk.disabled]
path=C:\Documents and Settings\Len Pinto\Start Menu\Programs\Startup\MotionBased Agent.lnk.disabled
backup=C:\WINDOWS\pss\MotionBased Agent.lnk.disabledStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 21:52 483328 C:\Program Files\Adobe\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AeXAgentLogon]
--a------ 2008-01-30 20:06 143360 C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--------- 2002-10-07 00:23 90112 C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
--a------ 2007-03-04 23:08 1891416 C:\Garmin\gStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-03-12 07:57 3067904 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Crawler]
C:\PROGRA~1\RCrawler\RCrawler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-05 15:24 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-05 15:25 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USG]
--a------ 2007-02-07 05:13 111351 C:\WINDOWS\system32\USG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"iPodService"=3 (0x3)
"aawservice"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RecordNow!"=
"Spyware Vanisher"=C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /installquiet
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\sybase\\SQL Anywhere 7\\Win32\\dbeng7.exe"=
"C:\\Program Files\\RDS\\DdsAdmin.exe"=
"C:\\Program Files\\Financial Advisory Service\\Financial Advisory Service.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\sybase\\SQL Anywhere 7\\Win32\\dbsrv7.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\ALInstaller\\ALInstaller.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LISA Desktop\\jdk142_06\\bin\\javaw.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"=
"C:\\Program Files\\Altiris\\Altiris Agent\\AeXNSAgent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62515:UDP"= 62515:UDP:AMPF PORT: Cisco VPN Client
"3670:TCP"= 3670:TCP:ricoh
"500:UDP"= 500:UDP:AMPF PORT: Cisco VPN Client
R0 AES-256;AES-256;C:\WINDOWS\system32\DRIVERS\AES256.SYS [2006-09-22 16:04]
R0 SgeFlt;SgeFlt;C:\WINDOWS\system32\DRIVERS\SGEFLT.SYS [2006-09-22 16:06]
R2 RsiSvc;Ridoc Server Information Service;C:\Program Files\RDS\RsiSvc.exe [2000-11-30 22:34]
R3 EMCR;EMCR;C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys [2003-08-15 08:10]
S2 DdsSched;Dds Scheduler Deamon;C:\Program Files\RDS\ddsschednt.exe [2002-11-20 16:53]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\LENPIN~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 12:51]
S4 ScanRouterDriverV2;ScanRouterDriverV2;C:\Program Files\RDS\srscandr.exe [2003-08-01 17:06]
S4 SOption;SOption;C:\Program Files\RDS\SOption.exe [2002-07-31 10:43]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\start.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 17:12:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-06 16:00:09 C:\WINDOWS\Tasks\At6.job"
- C:\Program Files\Configuration\ConfigCheck\Schedule.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-06-06 10:21:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\SGEGINATHK.DLL
-> C:\Program Files\Utimaco\SafeGuard Easy\SGUICL.MSG
-> C:\Program Files\Utimaco\SafeGuard Easy\SGE_ERR0409.DLL
-> C:\Program Files\Utimaco\SafeGuard Easy\SGE_MSG0409.DLL
-> C:\Program Files\Utimaco\SafeGuard Easy\SGE_INFO0409.DLL
-> C:\Program Files\Utimaco\SafeGuard Easy\SecClassFactoryPS.dll
-> C:\Program Files\Utimaco\SafeGuard Easy\wkscfgsrvps.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\IOGear\ION\IoctlSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2008-06-06 10:26:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 17:26:53
Pre-Run: 33,901,105,152 bytes free
Post-Run: 33,751,216,128 bytes free
319 --- E O F --- 2008-05-19 15:59:37
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:23, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\IOGear\ION\IoctlSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://advisorcompass.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SGEConfiguration] "C:\Program Files\Utimaco\SafeGuard Easy\SGEConfigurations.bat"
O4 - HKLM\..\Run: [EdWizard] "C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" as
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RunningApp] C:\Program Files\Configuration\shared\Runningapp.vbs
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AltirisConfiguration] "C:\Program Files\Configuration\ConfigCheck\ScheduleConfig.vbs"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.ez-data.com
O15 - Trusted Zone: *.ezdata.com
O15 - Trusted Zone: *.smartofficeonline.com
O15 - Trusted Zone: *.50below.com (HKLM)
O15 - Trusted Zone: *.advisorcompass.com (HKLM)
O15 - Trusted Zone: *.aefatesting.com (HKLM)
O15 - Trusted Zone: *.aexp.com (HKLM)
O15 - Trusted Zone: *.americanexpress.com (HKLM)
O15 - Trusted Zone: *.ameriprise.com (HKLM)
O15 - Trusted Zone: *.ameriprisecentral.com (HKLM)
O15 - Trusted Zone: *.amexweb.com (HKLM)
O15 - Trusted Zone: *.ampadvisor.com (HKLM)
O15 - Trusted Zone: *.ampf.com (HKLM)
O15 - Trusted Zone: *.awaxpqapilot.morningstar.com (HKLM)
O15 - Trusted Zone: *.documentsonthenet.com (HKLM)
O15 - Trusted Zone: *.ez-data.com (HKLM)
O15 - Trusted Zone: *.foremostadvice.com (HKLM)
O15 - Trusted Zone: *.FundPOINTDesktop.com (HKLM)
O15 - Trusted Zone: *.mainaccount.com (HKLM)
O15 - Trusted Zone: *.marketwatch.com (HKLM)
O15 - Trusted Zone: *.ogilvy.com (HKLM)
O15 - Trusted Zone: *.orders.com (HKLM)
O15 - Trusted Zone: *.pii121.com (HKLM)
O15 - Trusted Zone: *.riversource.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) -
https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204
O16 - DPF: {17B1601D-4A50-4E19-A588-0F6C2B23AABC} (SmartConvertor) -
https://ampf.ez-data...rtConvertor.cab
O16 - DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} (SOConfig6 Class) -
https://ampf.ez-data...s/SOConfig6.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -
http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D22621D3-E219-4B03-AF3E-5E8AEF7CC70B} (SmartBridge6 Class) -
https://ampf.ez-data...OfficeLink6.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) -
https://webmail.advi...ecom0/dwa7W.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
https://ameriprise.w...bex/ieatgpc.cab
O16 - DPF: {E78D37F9-9B88-4806-8E85-A125D658F57A} (EZFileView Class) -
https://ampf.ez-data...ImageViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ampf.com
O17 - HKLM\Software\..\Telephony: DomainName = ampf.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ampf.com
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Program Files\IOGear\ION\IoctlSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
--
End of file - 11400 bytes