Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91734 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Help / Virtumonde, Zlob, BHO - yayaXoPG.dll


  • This topic is locked This topic is locked
20 replies to this topic

#1 Lpinto

Lpinto

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 02 June 2008 - 12:18 PM

I have tried several methods to get rid of these issues and none are - I am getting constant re-directs to porn and other sites - the HOST site seems to be 127.0.0.1 - my Windows Auto Update program has been disabled and cannot be reactivated - my desktop clock is in military time and cannot be changed back - and I have scanned with several programs such as Spybot, Adaware and have tried to delete Virtumonde, Virtumonde.dll, Zlob, and the BHO: C:\WINDOWS/system32\yayaXoPG.dll.
The Virumonde and same BHO keep coming back.
The BHO shows creation 5-27-08 4:40:56 PM (which is the beginning of my troubles) with the following info
File Size - 3432
MD5: 91FC5EE4DAB81489570182FB7847590A
CRC32: 7DFC38E2
Attributes: archive

I have tried several times to delete with the HijackThis program but no success - below is my last scan

I hope you can help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:02, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\IOGear\ION\IoctlSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://advisorcompass.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://google.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SGEConfiguration] "C:\Program Files\Utimaco\SafeGuard Easy\SGEConfigurations.bat"
O4 - HKLM\..\Run: [EdWizard] "C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" as
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RunningApp] C:\Program Files\Configuration\shared\Runningapp.vbs
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AltirisConfiguration] "C:\Program Files\Configuration\ConfigCheck\ScheduleConfig.vbs"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.ez-data.com
O15 - Trusted Zone: *.ezdata.com
O15 - Trusted Zone: *.smartofficeonline.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {17B1601D-4A50-4E19-A588-0F6C2B23AABC} (SmartConvertor) - https://ampf.ez-data...rtConvertor.cab
O16 - DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} (SOConfig6 Class) - https://ampf.ez-data...s/SOConfig6.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D22621D3-E219-4B03-AF3E-5E8AEF7CC70B} (SmartBridge6 Class) - https://ampf.ez-data...OfficeLink6.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.advi...ecom0/dwa7W.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ameriprise.w...bex/ieatgpc.cab
O16 - DPF: {E78D37F9-9B88-4806-8E85-A125D658F57A} (EZFileView Class) - https://ampf.ez-data...ImageViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ampf.com
O17 - HKLM\Software\..\Telephony: DomainName = ampf.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ampf.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Program Files\IOGear\ION\IoctlSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 10469 bytes

    Advertisements

Register to Remove


#2 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 05 June 2008 - 05:45 PM

Hi Lpinto and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • I recommend you make a backup of any data that you have created, such as documents, pictures, music, ect... before we begin the fix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#3 Lpinto

Lpinto

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 06 June 2008 - 11:38 AM

Hi Dave - Great to hear from you - the forums are very busy and I really appreciate the offer to help me with my system challenges. Attached below are the two reports you wished. Look forward to hearing back from you at your earliest convenience.

Again thanks!!!!

ComboFix 08-06-05.3 - Len Pinto 2008-06-06 10:03:11.1 - NTFSx86
Running from: C:\Documents and Settings\Len Pinto\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\egao.exe
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\aKlUEfhk.ini
C:\WINDOWS\system32\aKlUEfhk.ini2
C:\WINDOWS\system32\ayfdgqhh.dll
C:\WINDOWS\system32\BayGQqss.ini
C:\WINDOWS\system32\BayGQqss.ini2
C:\WINDOWS\system32\BJlVwGgh.ini
C:\WINDOWS\system32\BJlVwGgh.ini2
C:\WINDOWS\system32\brovxclx.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\cJRXaccf.ini
C:\WINDOWS\system32\cJRXaccf.ini2
C:\WINDOWS\system32\crqpabli.dll
C:\WINDOWS\system32\dgchtfjj.ini
C:\WINDOWS\system32\dijmiket.ini
C:\WINDOWS\system32\domgqlgg.dll
C:\WINDOWS\system32\eioppkfy.ini
C:\WINDOWS\system32\fqjswiht.ini
C:\WINDOWS\system32\gglqgmod.ini
C:\WINDOWS\system32\hhqgdfya.ini
C:\WINDOWS\system32\ilbapqrc.ini
C:\WINDOWS\system32\jjfthcgd.dll
C:\WINDOWS\system32\kexjlpgn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ngpljxek.dll
C:\WINDOWS\system32\ngxwqefp.dll
C:\WINDOWS\system32\nqwmkdpy.dll
C:\WINDOWS\system32\OUuCKRqr.ini
C:\WINDOWS\system32\OUuCKRqr.ini2
C:\WINDOWS\system32\pfeqwxgn.ini
C:\WINDOWS\system32\PprAyyay.ini
C:\WINDOWS\system32\PprAyyay.ini2
C:\WINDOWS\system32\pWvyHRqr.ini
C:\WINDOWS\system32\pWvyHRqr.ini2
C:\WINDOWS\system32\qvvitiny.dll
C:\WINDOWS\system32\qWEMWvut.ini
C:\WINDOWS\system32\qWEMWvut.ini2
C:\WINDOWS\system32\rlsaeior.ini
C:\WINDOWS\system32\svvEMnnn.ini
C:\WINDOWS\system32\svvEMnnn.ini2
C:\WINDOWS\system32\tekimjid.dll
C:\WINDOWS\system32\tflwdmtd.ini
C:\WINDOWS\system32\VDLoYcdd.ini
C:\WINDOWS\system32\VDLoYcdd.ini2
C:\WINDOWS\system32\wDeOUBeg.ini
C:\WINDOWS\system32\wDeOUBeg.ini2
C:\WINDOWS\system32\xlcxvorb.ini
C:\WINDOWS\system32\yayaXoPG.dll
C:\WINDOWS\system32\yayyArpP.dll
C:\WINDOWS\system32\yfkppoie.dll
C:\WINDOWS\system32\ynitivvq.ini
C:\WINDOWS\system32\ypdkmwqn.ini
C:\WINDOWS\xmpstean.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-06 08:59 . 2008-06-06 08:59 93,056 --a------ C:\WINDOWS\system32\roieaslr.dll
2008-06-05 08:57 . 2008-06-05 08:57 95,232 --a------ C:\WINDOWS\system32\dtmdwlft.dll
2008-06-04 08:57 . 2008-06-04 08:57 95,232 --a------ C:\WINDOWS\system32\thiwsjqf.dll
2008-06-03 11:22 . 2008-06-03 11:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-03 11:22 . 2008-06-03 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 23:16 . 2008-06-06 09:36 <DIR> d-------- C:\spywarevanisher-full
2008-06-01 23:16 . 2008-06-01 23:16 724,992 --a------ C:\WINDOWS\iun6002.exe
2008-06-01 21:25 . 2008-06-01 21:25 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-06-01 14:01 . 2008-06-01 14:01 324,864 --a------ C:\WINDOWS\system32\Spy_File_geBUOeDw.dll
2008-06-01 13:58 . 2008-06-01 13:58 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-01 13:27 . 2008-06-01 13:27 <DIR> d-------- C:\VundoFix Backups
2008-05-30 08:54 . 2008-05-30 08:55 75,808 --a------ C:\BACKUP.svf
2008-05-29 00:33 . 2008-05-29 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-28 16:22 . 2008-05-28 16:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 17:58 . 2008-06-01 12:35 763 --a------ C:\WINDOWS\wininit.ini
2008-05-22 16:28 . 2007-01-31 13:45 127,376 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2008-05-22 16:28 . 2007-01-31 13:45 101,904 --a------ C:\WINDOWS\system32\dneinobj.dll
2008-05-22 16:27 . 2008-05-22 16:27 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-05-22 16:27 . 2008-05-22 16:27 <DIR> d-------- C:\Program Files\Cisco Systems
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-06 13:36 . 2008-06-06 09:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 16:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-06 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-05 21:00 --------- d-----w C:\Program Files\Configuration
2008-06-03 17:54 --------- d-----w C:\Program Files\Trusted Sites
2008-05-30 20:44 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-30 20:35 --------- d-----w C:\Program Files\Lavasoft
2008-05-30 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-30 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 15:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Retrospect
2008-05-23 00:39 --------- d-----w C:\Documents and Settings\Len Pinto\Application Data\U3
2008-05-16 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-14 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-05 19:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 22:03 --------- d-----w C:\Program Files\Financial Advisory Service
2008-04-06 19:02 --------- d-----w C:\Program Files\HP
2007-07-18 19:06 28,672 ----a-w C:\Documents and Settings\Len Pinto\atwbxdet.dll
2006-07-14 23:53 61,928 -c--a-w C:\Documents and Settings\Len Pinto\Application Data\GDIPFONTCACHEV1.DAT
2006-04-26 15:31 211,383 -c--a-w C:\Program Files\INSTALL.LOG
2006-04-21 02:35 29,604 ----a-w C:\Program Files\Windows XPTrustedsitesSPApril06.vbs
2005-11-15 23:32 3,638 ----a-r C:\Program Files\Common Files\Altiris_Icon.ico
2004-09-01 18:22 68,096 ------w C:\Documents and Settings\Len Pinto\hodprint.dll
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl]
@={ba930330-a721-11d3-a7b9-00500464ee16}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl2]
@={2030D939-54A7-4fea-9B06-49EA77EFC87F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Spyware Vanisher"="C:\spywarevanisher-full\SpywareVanisher.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SGEConfiguration"="C:\Program Files\Utimaco\SafeGuard Easy\SGEConfigurations.bat" [2007-01-31 20:22 380]
"EdWizard"="C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" [2006-09-22 16:01 245760]
"SgeEcView"="C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe" [2006-09-22 16:06 24576]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 21:50 111952]
"RunningApp"="C:\Program Files\Configuration\shared\Runningapp.vbs" [2007-11-09 04:54 194]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 16:06 136512]
"AltirisConfiguration"="C:\Program Files\Configuration\ConfigCheck\ScheduleConfig.vbs" [2007-09-10 21:50 515]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-03-12 07:57 3067904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-07-16 11:58:04 1544984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
SGLogEx.dll 2002-01-22 15:28 110592 C:\WINDOWS\system32\SGLogEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 12:01 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
SGLogNotification.dll 2005-03-31 11:27 69632 C:\WINDOWS\system32\SGLogNotification.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk.disabled
backup=C:\WINDOWS\pss\Desktop Manager.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FTP Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FTP Utility.lnk
backup=C:\WINDOWS\pss\FTP Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=C:\WINDOWS\pss\Install Pending Files.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ION Backup Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ION Backup Tool.lnk
backup=C:\WINDOWS\pss\ION Backup Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINDOWS\pss\Microsoft Office.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Len Pinto^Start Menu^Programs^Startup^MotionBased Agent.lnk.disabled]
path=C:\Documents and Settings\Len Pinto\Start Menu\Programs\Startup\MotionBased Agent.lnk.disabled
backup=C:\WINDOWS\pss\MotionBased Agent.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 21:52 483328 C:\Program Files\Adobe\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AeXAgentLogon]
--a------ 2008-01-30 20:06 143360 C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--------- 2002-10-07 00:23 90112 C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
--a------ 2007-03-04 23:08 1891416 C:\Garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-03-12 07:57 3067904 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Crawler]
C:\PROGRA~1\RCrawler\RCrawler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-05 15:24 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-05 15:25 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USG]
--a------ 2007-02-07 05:13 111351 C:\WINDOWS\system32\USG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"iPodService"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RecordNow!"=
"Spyware Vanisher"=C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /installquiet
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\sybase\\SQL Anywhere 7\\Win32\\dbeng7.exe"=
"C:\\Program Files\\RDS\\DdsAdmin.exe"=
"C:\\Program Files\\Financial Advisory Service\\Financial Advisory Service.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\sybase\\SQL Anywhere 7\\Win32\\dbsrv7.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\ALInstaller\\ALInstaller.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LISA Desktop\\jdk142_06\\bin\\javaw.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"=
"C:\\Program Files\\Altiris\\Altiris Agent\\AeXNSAgent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62515:UDP"= 62515:UDP:AMPF PORT: Cisco VPN Client
"3670:TCP"= 3670:TCP:ricoh
"500:UDP"= 500:UDP:AMPF PORT: Cisco VPN Client

R0 AES-256;AES-256;C:\WINDOWS\system32\DRIVERS\AES256.SYS [2006-09-22 16:04]
R0 SgeFlt;SgeFlt;C:\WINDOWS\system32\DRIVERS\SGEFLT.SYS [2006-09-22 16:06]
R2 RsiSvc;Ridoc Server Information Service;C:\Program Files\RDS\RsiSvc.exe [2000-11-30 22:34]
R3 EMCR;EMCR;C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys [2003-08-15 08:10]
S2 DdsSched;Dds Scheduler Deamon;C:\Program Files\RDS\ddsschednt.exe [2002-11-20 16:53]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\LENPIN~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 12:51]
S4 ScanRouterDriverV2;ScanRouterDriverV2;C:\Program Files\RDS\srscandr.exe [2003-08-01 17:06]
S4 SOption;SOption;C:\Program Files\RDS\SOption.exe [2002-07-31 10:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 17:12:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-06 16:00:09 C:\WINDOWS\Tasks\At6.job"
- C:\Program Files\Configuration\ConfigCheck\Schedule.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 10:21:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\SGEGINATHK.DLL
-> C:\Program Files\Utimaco\SafeGuard Easy\SGUICL.MSG
-> C:\Program Files\Utimaco\SafeGuard Easy\SGE_ERR0409.DLL
-> C:\Program Files\Utimaco\SafeGuard Easy\SGE_MSG0409.DLL
-> C:\Program Files\Utimaco\SafeGuard Easy\SGE_INFO0409.DLL
-> C:\Program Files\Utimaco\SafeGuard Easy\SecClassFactoryPS.dll
-> C:\Program Files\Utimaco\SafeGuard Easy\wkscfgsrvps.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\IOGear\ION\IoctlSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2008-06-06 10:26:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 17:26:53

Pre-Run: 33,901,105,152 bytes free
Post-Run: 33,751,216,128 bytes free

319 --- E O F --- 2008-05-19 15:59:37



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:23, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\IOGear\ION\IoctlSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://advisorcompass.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SGEConfiguration] "C:\Program Files\Utimaco\SafeGuard Easy\SGEConfigurations.bat"
O4 - HKLM\..\Run: [EdWizard] "C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" as
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RunningApp] C:\Program Files\Configuration\shared\Runningapp.vbs
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AltirisConfiguration] "C:\Program Files\Configuration\ConfigCheck\ScheduleConfig.vbs"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.ez-data.com
O15 - Trusted Zone: *.ezdata.com
O15 - Trusted Zone: *.smartofficeonline.com
O15 - Trusted Zone: *.50below.com (HKLM)
O15 - Trusted Zone: *.advisorcompass.com (HKLM)
O15 - Trusted Zone: *.aefatesting.com (HKLM)
O15 - Trusted Zone: *.aexp.com (HKLM)
O15 - Trusted Zone: *.americanexpress.com (HKLM)
O15 - Trusted Zone: *.ameriprise.com (HKLM)
O15 - Trusted Zone: *.ameriprisecentral.com (HKLM)
O15 - Trusted Zone: *.amexweb.com (HKLM)
O15 - Trusted Zone: *.ampadvisor.com (HKLM)
O15 - Trusted Zone: *.ampf.com (HKLM)
O15 - Trusted Zone: *.awaxpqapilot.morningstar.com (HKLM)
O15 - Trusted Zone: *.documentsonthenet.com (HKLM)
O15 - Trusted Zone: *.ez-data.com (HKLM)
O15 - Trusted Zone: *.foremostadvice.com (HKLM)
O15 - Trusted Zone: *.FundPOINTDesktop.com (HKLM)
O15 - Trusted Zone: *.mainaccount.com (HKLM)
O15 - Trusted Zone: *.marketwatch.com (HKLM)
O15 - Trusted Zone: *.ogilvy.com (HKLM)
O15 - Trusted Zone: *.orders.com (HKLM)
O15 - Trusted Zone: *.pii121.com (HKLM)
O15 - Trusted Zone: *.riversource.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {17B1601D-4A50-4E19-A588-0F6C2B23AABC} (SmartConvertor) - https://ampf.ez-data...rtConvertor.cab
O16 - DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} (SOConfig6 Class) - https://ampf.ez-data...s/SOConfig6.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D22621D3-E219-4B03-AF3E-5E8AEF7CC70B} (SmartBridge6 Class) - https://ampf.ez-data...OfficeLink6.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.advi...ecom0/dwa7W.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ameriprise.w...bex/ieatgpc.cab
O16 - DPF: {E78D37F9-9B88-4806-8E85-A125D658F57A} (EZFileView Class) - https://ampf.ez-data...ImageViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ampf.com
O17 - HKLM\Software\..\Telephony: DomainName = ampf.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ampf.com
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Program Files\IOGear\ION\IoctlSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 11400 bytes

#4 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 06 June 2008 - 12:46 PM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\roieaslr.dll
    C:\WINDOWS\system32\dtmdwlft.dll
    C:\WINDOWS\system32\thiwsjqf.dll
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use ATF Cleaner to remove temp files,
cookies, cache, ect...

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please do an online scan with Kaspersky WebScanner

You need to use Internet Explorer for this scan.

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Also post a new HijackThis log and let me know how it's running.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#5 Lpinto

Lpinto

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 06 June 2008 - 05:45 PM

Hi Dave - thanks again for the help - the computer seems to be working better - in fact the Windows Auto Update program is working again and downloaded and installed a critical update. The computer is loading faster than before and I am not getting any redirects while connected to the internet. I am getting a windows security notice everytime I go onto the internet stating . . "Your current security settings put your computer at risk. Click here to change your security settings." - any thoughts?

Sorry for the delay in getting back to you. I am having difficulty in completing the Kaspersky Online Scan. I have tried it twice and it has stop each time after about one hour and 30 minutes the only thing I can think of is that the computer is timing out and disconnecting from the internet? The first time I thought I had hit a key or something but the second I was quite careful in not doing that. Any thoughts?

Below are the scans you had requested other than the Kaspersky whcih I will try to do again.

By the way for the OTMoveIt2 I could not find the .log file you had mentioned in your instructions - I did find the OTMoveIt2 file folder and the internal file but none were listed as you had explained. So I copy/pasted the results window shown below

Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\roieaslr.dll
C:\WINDOWS\system32\roieaslr.dll NOT unregistered.
C:\WINDOWS\system32\roieaslr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\dtmdwlft.dll
C:\WINDOWS\system32\dtmdwlft.dll NOT unregistered.
C:\WINDOWS\system32\dtmdwlft.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\thiwsjqf.dll
C:\WINDOWS\system32\thiwsjqf.dll NOT unregistered.
C:\WINDOWS\system32\thiwsjqf.dll moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06062008_115917


Malwarebytes' Anti-Malware 1.15
Database version: 834

12:34:14 PM 6/6/2008
mbam-log-6-6-2008 (12-34-14).txt

Scan type: Quick Scan
Objects scanned: 44014
Time elapsed: 11 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Spy_File_geBUOeDw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29:31, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\IOGear\ION\IoctlSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://advisorcompass.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SGEConfiguration] "C:\Program Files\Utimaco\SafeGuard Easy\SGEConfigurations.bat"
O4 - HKLM\..\Run: [EdWizard] "C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" as
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RunningApp] C:\Program Files\Configuration\shared\Runningapp.vbs
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AltirisConfiguration] "C:\Program Files\Configuration\ConfigCheck\ScheduleConfig.vbs"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.ez-data.com
O15 - Trusted Zone: *.ezdata.com
O15 - Trusted Zone: *.smartofficeonline.com
O15 - Trusted Zone: *.50below.com (HKLM)
O15 - Trusted Zone: *.advisorcompass.com (HKLM)
O15 - Trusted Zone: *.aefatesting.com (HKLM)
O15 - Trusted Zone: *.aexp.com (HKLM)
O15 - Trusted Zone: *.americanexpress.com (HKLM)
O15 - Trusted Zone: *.ameriprise.com (HKLM)
O15 - Trusted Zone: *.ameriprisecentral.com (HKLM)
O15 - Trusted Zone: *.amexweb.com (HKLM)
O15 - Trusted Zone: *.ampadvisor.com (HKLM)
O15 - Trusted Zone: *.ampf.com (HKLM)
O15 - Trusted Zone: *.awaxpqapilot.morningstar.com (HKLM)
O15 - Trusted Zone: *.documentsonthenet.com (HKLM)
O15 - Trusted Zone: *.ez-data.com (HKLM)
O15 - Trusted Zone: *.foremostadvice.com (HKLM)
O15 - Trusted Zone: *.FundPOINTDesktop.com (HKLM)
O15 - Trusted Zone: *.mainaccount.com (HKLM)
O15 - Trusted Zone: *.marketwatch.com (HKLM)
O15 - Trusted Zone: *.ogilvy.com (HKLM)
O15 - Trusted Zone: *.orders.com (HKLM)
O15 - Trusted Zone: *.pii121.com (HKLM)
O15 - Trusted Zone: *.riversource.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {17B1601D-4A50-4E19-A588-0F6C2B23AABC} (SmartConvertor) - https://ampf.ez-data...rtConvertor.cab
O16 - DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} (SOConfig6 Class) - https://ampf.ez-data...s/SOConfig6.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D22621D3-E219-4B03-AF3E-5E8AEF7CC70B} (SmartBridge6 Class) - https://ampf.ez-data...OfficeLink6.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.advi...ecom0/dwa7W.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ameriprise.w...bex/ieatgpc.cab
O16 - DPF: {E78D37F9-9B88-4806-8E85-A125D658F57A} (EZFileView Class) - https://ampf.ez-data...ImageViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ampf.com
O17 - HKLM\Software\..\Telephony: DomainName = ampf.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ampf.com
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Program Files\IOGear\ION\IoctlSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 11383 bytes

#6 Lpinto

Lpinto

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 06 June 2008 - 05:48 PM

Hi Dave - one more item on the computer and how itis running - I forgot to mention the desktop clock is still on military time - suggestions on getting it back to regular time?

#7 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 06 June 2008 - 06:14 PM

This should change it back to normal time. Set the Windows XP Clock back from Military Time Click "My Computer" Open the Control Panel Select Time Options Classic View: Open Reginal and Language Options. Category View: Date, Time, Language and Regional Options. Click "Change the format of numbers, dates, and times". Select the "Regional Options" tab. Next to the box that shows your selected language click "Customize". Click the "Time" tab. In the "Time Format" select: "h:mm:ss:tt"
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#8 Lpinto

Lpinto

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 06 June 2008 - 06:24 PM

Thanks Dave - the time change worked Do you still need the Kaspersky Online Scan? I am assuming that your quick reply was to help with the time issue and that you are still reviewing the scans so I was ot sure if you still wanted the Kaspersky Scan?

#9 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 06 June 2008 - 06:35 PM

Yes I would still like to see a kaspersky scan run. It will likely take a while so set it off before you go to bed and it should be done by the am.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#10 Lpinto

Lpinto

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 07 June 2008 - 12:55 AM

Hi Dave, I have spent 6 hours of scanning (4 attempts) trying to get a to get a complete Kaspersky Online Scan and each one has closed without warning at approximately one hour 35 minutes approximately 55% completed. I am at this time trying another scan which is currently 14 minutes in and 22% completed. Do you have any suggestions or thoughts? I was going to download the Kaspersky Anti-Virus free trial version but it stated that if I had any other anti-virus software running it would create conflicts. I have McAfee Enterprise Edition that I have disabled best I could - it is a proprietary version from my company - I do not have the CD to reload if I was to remove from my system - so because of this I am not sure if it will conflict wth Kaspersky so I did not install the trial version. Any thoughts - have you heard of prior events with Kaspersky Online Scanner stopping in the middle of a scan without warning?

    Advertisements

Register to Remove


#11 Lpinto

Lpinto

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 07 June 2008 - 02:34 AM

Dave I was right it is timing out after the 5th time - I wanted too long to access and it timed out at 65% - I will try again i the morning

#12 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 07 June 2008 - 05:42 AM

If you cannot get the Kaspersky scan to run then there are other online scans we can try so you don't have to worry about conflicts with McAfee. Here's another we can try.

You will need to run this with Internet Explorer.
Run Panda's ActiveScan from here and perform a full system scan.
  • Once you are on the Panda site click the "Scan your PC" button
  • A new window will open...
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address
  • Select either Home User or Company
    NOTE: If you do not want to receive any marketing material from Panda select I do not want... at the bottom.
  • Click the big Free Online Scan button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
  • If you are on a slow connection it will take about 15 minuites for the scanner to load.
  • Click on "Local Disks" to start the scan
  • Once scan is done, click "see report" then "save report"
  • Save the log someplace you can find
  • Reboot
  • Post the Panda scan results in your next reply

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#13 Lpinto

Lpinto

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 07 June 2008 - 06:54 PM

Hi Dave - boy that took forever to complete - fortunately there was no timouts - I do not undestand why Kaspersky didn't work - I have seen the report on other threads and I was hoping I could get on here - I tried again last night until 4AM but 75% done it closed again - do you think this is the McAfee? The Mis not in the quick start bar at the bottom like ti usually is so I will try the Kaspersky scan again but below is the Panda fuill scan - hope it helps The computer seems to be working well - loads fast and no redirects. ANALYSIS: 2008-06-07 17:42:31 PROTECTIONS: 1 MALWARE: 9 SUSPECTS: 0 ;******************************************************************************* ********************************************************************************* ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================= =================== VirusScan Enterprise + AntiSpyware Enterprise8.5.0.781 Yes Yes ;=============================================================================== ================================================================================= =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================= =================== 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Len Pinto\Cookies\len_pinto@com[1].txt 01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Len Pinto\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe] 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP973\A0155632.EXE 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP973\A0155599.sys 02995623 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\brovxclx.dll.vir 02995623 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP973\A0155559.dll 03007334 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP966\A0151296.dll 03007334 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP965\A0151219.dll 03007914 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\qvvitiny.dll.vir 03007914 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP973\A0155563.dll 03007914 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP973\A0155566.dll 03007914 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ngpljxek.dll.vir 03032060 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP973\A0155557.exe 03032060 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\xmpstean.exe.vir 03042449 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP973\A0155564.dll 03042449 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP973\A0155570.dll ;=============================================================================== ================================================================================= =================== SUSPECTS Sent Location 4 ;=============================================================================== ================================================================================= =================== ;=============================================================================== ================================================================================= =================== VULNERABILITIES Id Severity Description 4 ;=============================================================================== ================================================================================= =================== ;=============================================================================== ================================================================================= ===================

#14 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 07 June 2008 - 07:04 PM

Panda didn't find much, a cookie, some items in combofix quarantine, and restore points. We'll clear out the last 2 now.

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


  • Posted Image
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

You can try Kaspersky again after clearing out those items and maybe that will help. Did you try totally disabling McAfee while Kaspersky runs? Let me know how you make out but I would worry too much about it, I think you're pretty much in the clear.

Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#15 Lpinto

Lpinto

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 08 June 2008 - 01:19 AM

Hi Dave - thanks for your patience - sorry it has taken so long to get back with you
I reinstalled SpyBot SD 1.5.2 so I could disable McAfee and then turn off teatimer and re-try Kaspersky Scan - well after 2hours 40 minutes it completes and the report is below and a new hijackthis report

I initially had problems downloading after the ComboFix /u but with some system changes and a reboot got it working.

I have the McAfee Enterprise anti-virus as proprietary software and cannot use another - what other freeware would you suggest to help insure I do not get infected again?
I have been using SpyBot SD, Adaware, Spyblaster, and Hijackthis - any others you feel I need?

What do you think - have you cleared the nasty malware?

Sunday, June 08, 2008 12:03:27 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/06/2008
Kaspersky Anti-Virus database records: 838711


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 96296
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 02:35:27

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_W737576.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_W737576.log Object is locked skipped

C:\Documents and Settings\Len Pinto\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Len Pinto\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Len Pinto\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Len Pinto\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Len Pinto\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Len Pinto\Local Settings\History\History.IE5\MSHist012008060720080608\index.dat Object is locked skipped

C:\Documents and Settings\Len Pinto\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Len Pinto\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Len Pinto\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Len Pinto\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Altiris\Altiris Agent\Software Delivery\pkgdlvlk.tmp Object is locked skipped

C:\Program Files\Altiris\Altiris Agent\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp Object is locked skipped

C:\Program Files\Network Associates\System Compliance Profiler\PtchScan.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\tracking.log Object is locked skipped

C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP1\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped

C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped

C:\WINDOWS\system32\msmq\storage\QMLog Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_ac0.dat Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_e8.dat Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:10 AM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\IOGear\ION\IoctlSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://advisorcompass.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SGEConfiguration] "C:\Program Files\Utimaco\SafeGuard Easy\SGEConfigurations.bat"
O4 - HKLM\..\Run: [EdWizard] "C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" as
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [RunningApp] C:\Program Files\Configuration\shared\Runningapp.vbs
O4 - HKLM\..\Run: [AltirisConfiguration] "C:\Program Files\Configuration\ConfigCheck\ScheduleConfig.vbs"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.ez-data.com
O15 - Trusted Zone: *.ezdata.com
O15 - Trusted Zone: *.smartofficeonline.com
O15 - Trusted Zone: *.50below.com (HKLM)
O15 - Trusted Zone: *.advisorcompass.com (HKLM)
O15 - Trusted Zone: *.aefatesting.com (HKLM)
O15 - Trusted Zone: *.aexp.com (HKLM)
O15 - Trusted Zone: *.americanexpress.com (HKLM)
O15 - Trusted Zone: *.ameriprise.com (HKLM)
O15 - Trusted Zone: *.ameriprisecentral.com (HKLM)
O15 - Trusted Zone: *.amexweb.com (HKLM)
O15 - Trusted Zone: *.ampadvisor.com (HKLM)
O15 - Trusted Zone: *.ampf.com (HKLM)
O15 - Trusted Zone: *.awaxpqapilot.morningstar.com (HKLM)
O15 - Trusted Zone: *.documentsonthenet.com (HKLM)
O15 - Trusted Zone: *.ez-data.com (HKLM)
O15 - Trusted Zone: *.foremostadvice.com (HKLM)
O15 - Trusted Zone: *.FundPOINTDesktop.com (HKLM)
O15 - Trusted Zone: *.mainaccount.com (HKLM)
O15 - Trusted Zone: *.marketwatch.com (HKLM)
O15 - Trusted Zone: *.ogilvy.com (HKLM)
O15 - Trusted Zone: *.orders.com (HKLM)
O15 - Trusted Zone: *.pii121.com (HKLM)
O15 - Trusted Zone: *.riversource.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {17B1601D-4A50-4E19-A588-0F6C2B23AABC} (SmartConvertor) - https://ampf.ez-data...rtConvertor.cab
O16 - DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} (SOConfig6 Class) - https://ampf.ez-data...s/SOConfig6.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D22621D3-E219-4B03-AF3E-5E8AEF7CC70B} (SmartBridge6 Class) - https://ampf.ez-data...OfficeLink6.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.advi...ecom0/dwa7W.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ameriprise.w...bex/ieatgpc.cab
O16 - DPF: {E78D37F9-9B88-4806-8E85-A125D658F57A} (EZFileView Class) - https://ampf.ez-data...ImageViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ampf.com
O17 - HKLM\Software\..\Telephony: DomainName = ampf.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ampf.com
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Program Files\IOGear\ION\IoctlSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 11573 bytes

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users