PC running slow and pop windows

Started by GraemeT , Jun 14 2009 11:14 PM

This topic is locked

10 replies to this topic

#1 GraemeT

Member

Members
14 posts

Posted 14 June 2009 - 11:13 PM

Hi,

My PC has been running really slowy of late ant processor is always running high and last night looks like to got a trojan on it and it got stuck and I had to do a Windows Restore Point so that i could use any fucntion on the PC.

Hope you can help me out please

Graeme

This is my HiJackThis trace and AdAware log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:30:25, on 14/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\CATPC\CATSYS\CatSystemSvc.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Siemens\HiPath 4000 Expert Access\ComWinSvc.exe
C:\Program Files\Siemens\HiPath 4000 Expert Access\ComWinAccess.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Siemens Communications\PCAuditorService\PCAuditorService.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\TEMP\UV3734.EXE
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\Program Files\OfficeScan NT\CNTAoSMgr.exe
C:\WINNT\MS\SMS\clicomp\sinv\sinv32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Siemens\HiPath 4000 Expert Access\comwinsvr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insite.intran...enscomms.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Siemens Enterprise Communications
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://insite.intran...CATXP/xpcat.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = GBNTHT12015SRV:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sitest.net;*.siemens.net;*.siemens.de;127.0.0.1;localhost;NTH4553C;<local>;*.local
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {88cb6025-4ac4-4d85-b8b7-2021f796eb5f} - C:\WINNT\system32\rejikago.dll
O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - C:\Program Files\BS.Player ControlBar\BSToolbar.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [USM] C:\Program Files\Siemens\USM\USM.exe
O4 - HKLM\..\Run: [FmViewF9] C:\PROGRA~1\WINCOR~1\FMView\FMVIEWF9.DLL -l
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [JavaProfileFix3] "C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [1c7456bd] rundll32.exe "C:\WINNT\system32\bosegoko.dll",b
O4 - HKLM\..\Run: [CPM1f476521] Rundll32.exe "c:\winnt\system32\tumuwaku.dll",a
O4 - HKLM\..\Run: [siruvatoko] Rundll32.exe "C:\WINNT\system32\vomepizu.dll",s
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ComWin-Frame] C:\Program Files\Siemens\HiPath 4000 Expert Access\comwinsvr.exe /hidemainform
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-205172245-3898785446-1611566086-1008\..\Run: [CatUserRun] wscript.exe "C:\Program Files\CatPC\CatLogon\CatUserRun.vbe" (User 'SMSCliSvcAcct&')
O4 - HKUS\S-1-5-21-205172245-3898785446-1611566086-1008\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'SMSCliSvcAcct&')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'Default user')
O4 - Global Startup: Iomega Backup Scheduler.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.216.10.121.30
O15 - Trusted Zone: *.affiniti.com
O15 - Trusted Zone: *.atlas.co.uk
O15 - Trusted Zone: *.cisco.com
O15 - Trusted Zone: *.conferencelobby.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.confirmit.com
O15 - Trusted Zone: *.corporateexpress.co.uk
O15 - Trusted Zone: *.custhelp.com
O15 - Trusted Zone: *.designafairs.com
O15 - Trusted Zone: *.documentgenie.co.uk
O15 - Trusted Zone: *.ecommittees.bsi-global.com
O15 - Trusted Zone: *.edvantage.net
O15 - Trusted Zone: *.freeway.demo.lionbridge.com
O15 - Trusted Zone: *.g-dms.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.genesysmeetingcenter.com
O15 - Trusted Zone: *.genesysrichmedia.com
O15 - Trusted Zone: *.hipath-partnernet.icn.siemens.com
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.lufthansa.com
O15 - Trusted Zone: *.mchp7fra.siemens.com
O15 - Trusted Zone: *.mcmplus.com
O15 - Trusted Zone: *.monsoon5.com
O15 - Trusted Zone: *.mrtedtalentlink.com
O15 - Trusted Zone: *.multimediabrains.nl
O15 - Trusted Zone: *.mymeetingplace.net
O15 - Trusted Zone: *.openscape.siemenscomms.net
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.plantro.net
O15 - Trusted Zone: *.polycom.com
O15 - Trusted Zone: *.procon.cpdni.gov.uk
O15 - Trusted Zone: *.raindance.com
O15 - Trusted Zone: *.remedy.com
O15 - Trusted Zone: *.retaillink.wal-mart.com
O15 - Trusted Zone: *.rightnowdemo.com
O15 - Trusted Zone: *.rightnowtech.com
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.siebel.com
O15 - Trusted Zone: *.siemens-cam.com
O15 - Trusted Zone: *.siemenscomms.co.uk
O15 - Trusted Zone: *.silentedge.co.uk
O15 - Trusted Zone: *.thomasinternational.net
O15 - Trusted Zone: *.vebra.com
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: *.sap-ag.de (HKLM)
O15 - Trusted Zone: *.sap.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_13) -
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink Edit Control) - https://www.g-dms.co...bexp/lledit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gb002.siemens.net
O17 - HKLM\Software\..\Telephony: DomainName = gb002.siemens.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B3E5D43-083F-4C69-9951-244100FAB5ED}: Domain = gb002.siemens.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B3E5D43-083F-4C69-9951-244100FAB5ED}: NameServer = 172.23.3.8,172.24.35.206
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gb002.siemens.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINNT\system32\setuwuja.dll c:\winnt\system32\tumuwaku.dll,C:\WINNT\system32\kibekobu.dll,C:\WINNT\system32\gedarehi.dll c:\winnt\system32\lupemepu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\tumuwaku.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\tumuwaku.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CatSystem (CatSystemSvc) - Siemens AG - C:\WINNT\CATPC\CATSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: ComWin Service (ComWinService) - Unknown owner - C:\Program Files\Siemens\HiPath 4000 Expert Access\ComWinSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: PCAuditorService - Siemens Enterprise Communications Ltd - C:\Program Files\Siemens Communications\PCAuditorService\PCAuditorService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

--
End of file - 13797 bytes

AdAware Log:

MSG [3240] 2009/06/13 23:09:53: Configure new scan with profile: smart
MSG [3240] 2009/06/13 23:09:53: -> scanning critical objects
MSG [3240] 2009/06/13 23:09:53: -> scanning running processes
MSG [3240] 2009/06/13 23:09:53: -> scanning registry
MSG [3240] 2009/06/13 23:09:53: -> scanning lsp
MSG [3240] 2009/06/13 23:09:53: -> scanning browser hijacks
MSG [3240] 2009/06/13 23:09:53: -> scanning cookies
MSG [3240] 2009/06/13 23:09:53: -> neutralizing rootkits
MSG [3240] 2009/06/13 23:09:53: -> use spyware heuristics
MSG [3240] 2009/06/13 23:09:53: -> scan only executables
MSG [3240] 2009/06/13 23:09:53: -> file size limit = 20480 kB (0 = unlimited)
MSG [3896] 2009/06/13 23:39:10: Scan was completed in 1756 seconds
MSG [3896] 2009/06/13 23:39:10: Objects processed: 36018, infections detected: 54
MSG [3740] 2009/06/14 00:19:19: Remediating 54 infections
MSG [3740] 2009/06/14 00:20:25: Infections quarantined: 0, removed: 51, repaired: 0
MSG [3740] 2009/06/14 00:20:25: Infections ignored by remediation: 3 (0 whitelisted, 3 skipped).
MSG [3240] 2009/06/14 00:20:27: Dumping scan report:
>>> Logfile created: 13/06/2009 23:9:55
>>> Lavasoft Ad-Aware version: 8.0.5
>>> Extended engine version: 8.1
>>> User performing scan: graeme.truluck
>>>
>>> *********************** Definitions database information ***********************
>>> Lavasoft definition file: 148.51
>>> Extended engine definition file: 8.1
>>>
>>> ******************************** Scan results: *********************************
>>> Scan profile name: Smart Scan (ID: smart)
>>> Objects scanned: 36018
>>> Objects detected: 54
>>>
>>>
>>> Type Detected
>>> ==========================
>>> Processes.......: 0
>>> Registry entries: 3
>>> Hostfile entries: 0
>>> Files...........: 0
>>> Folders.........: 0
>>> LSPs............: 0
>>> Cookies.........: 51
>>> Browser hijacks.: 0
>>> MRU objects.....: 0
>>>
>>>
>>>
>>> Skipped items:
>>> Description: HKLM:HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}: Family Name: unknown Clean status: Success Item ID: 1 Family ID: 0
>>> Description: HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad:SSODL Family Name: unknown Clean status: Success Item ID: 1 Family ID: 0
>>> Description: HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler:{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} Family Name: unknown Clean status: Success Item ID: 1 Family ID: 0
>>>
>>> Removed items:
>>> Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
>>> Description: *adrevolver* Family Name: Cookies Clean status: Success Item ID: 408932 Family ID: 0
>>> Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
>>> Description: *media.adrevolver* Family Name: Cookies Clean status: Success Item ID: 409144 Family ID: 0
>>> Description: *overture* Family Name: Cookies Clean status: Success Item ID: 408834 Family ID: 0
>>> Description: *redeye* Family Name: Cookies Clean status: Success Item ID: 408979 Family ID: 0
>>> Description: *adserver* Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0
>>> Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0
>>> Description: *adserve* Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0
>>> Description: *adrevolver* Family Name: Cookies Clean status: Success Item ID: 408932 Family ID: 0
>>> Description: *media.adrevolver* Family Name: Cookies Clean status: Success Item ID: 409144 Family ID: 0
>>> Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
>>> Description: *apmebf* Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0
>>> Description: *mediaplex* Family Name: Cookies Clean status: Success Item ID: 408991 Family ID: 0
>>> Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
>>> Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
>>> Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
>>> Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
>>> Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0
>>> Description: *adviva* Family Name: Cookies Clean status: Success Item ID: 409016 Family ID: 0
>>> Description: *questionmarket* Family Name: Cookies Clean status: Success Item ID: 408819 Family ID: 0
>>> Description: *trafficmp* Family Name: Cookies Clean status: Success Item ID: 408787 Family ID: 0
>>> Description: *adultfriendfinder* Family Name: Cookies Clean status: Success Item ID: 409164 Family ID: 0
>>> Description: *statse.webtrends* Family Name: Cookies Clean status: Success Item ID: 408803 Family ID: 0
>>> Description: *webtrendslive* Family Name: Cookies Clean status: Success Item ID: 408954 Family ID: 0
>>> Description: *.webtrendslive* Family Name: Cookies Clean status: Success Item ID: 409033 Family ID: 0
>>> Description: *statse.webtrendslive* Family Name: Cookies Clean status: Success Item ID: 409269 Family ID: 0
>>> Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
>>> Description: *bs.serving-sys* Family Name: Cookies Clean status: Success Item ID: 408902 Family ID: 0
>>> Description: *serving-sys* Family Name: Cookies Clean status: Success Item ID: 409130 Family ID: 0
>>> Description: *tradedoubler* Family Name: Cookies Clean status: Success Item ID: 408964 Family ID: 0
>>> Description: *kelkoo* Family Name: Cookies Clean status: Success Item ID: 408851 Family ID: 0
>>> Description: *hitbox* Family Name: Cookies Clean status: Success Item ID: 408858 Family ID: 0
>>> Description: *.hitbox* Family Name: Cookies Clean status: Success Item ID: 409072 Family ID: 0
>>> Description: *adbrite* Family Name: Cookies Clean status: Success Item ID: 409218 Family ID: 0
>>> Description: *statcounter* Family Name: Cookies Clean status: Success Item ID: 409185 Family ID: 0
>>> Description: *trafic* Family Name: Cookies Clean status: Success Item ID: 409119 Family ID: 0
>>> Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0
>>> Description: *partypoker* Family Name: Cookies Clean status: Success Item ID: 409141 Family ID: 0
>>> Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
>>> Description: *fastclick* Family Name: Cookies Clean status: Success Item ID: 408869 Family ID: 0
>>> Description: *adserver* Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0
>>> Description: *adserve* Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0
>>> Description: *real* Family Name: Cookies Clean status: Success Item ID: 408817 Family ID: 0
>>> Description: *247realmedia* Family Name: Cookies Clean status: Success Item ID: 408945 Family ID: 0
>>> Description: *realmedia* Family Name: Cookies Clean status: Success Item ID: 409139 Family ID: 0
>>> Description: *.sageanalyst* Family Name: Cookies Clean status: Success Item ID: 409054 Family ID: 0
>>> Description: *adtech* Family Name: Cookies Clean status: Success Item ID: 409018 Family ID: 0
>>> Description: *.hitslink* Family Name: Cookies Clean status: Success Item ID: 409071 Family ID: 0
>>> Description: *tribalfusion* Family Name: Cookies Clean status: Success Item ID: 408785 Family ID: 0
>>> Description: *kontera* Family Name: Cookies Clean status: Success Item ID: 409363 Family ID: 0
>>>
>>> Scan and cleaning complete: Finished correctly after 1756 seconds
>>>
>>> *********************************** Settings ***********************************
>>>
>>> Scan profile:
>>> ID: smart, enabled:1, value: Smart Scan
>>> ID: scancriticalareas, enabled:1, value: true
>>> ID: scanrunningapps, enabled:1, value: true
>>> ID: scanregistry, enabled:1, value: true
>>> ID: scanlsp, enabled:1, value: true
>>> ID: scanads, enabled:1, value: false
>>> ID: scanhostsfile, enabled:1, value: false
>>> ID: scanmru, enabled:1, value: false
>>> ID: scanbrowserhijacks, enabled:1, value: true
>>> ID: scantrackingcookies, enabled:1, value: true
>>> ID: closebrowsers, enabled:1, value: false
>>> ID: folderstoscan, enabled:1, value:
>>> ID: scanrootkits, enabled:1, value: true
>>> ID: usespywareheuristics, enabled:1, value: true
>>> ID: extendedengine, enabled:0, value: true
>>> ID: useheuristics, enabled:0, value: true
>>> ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
>>> ID: filescanningoptions, enabled:1
>>> ID: archives, enabled:1, value: false
>>> ID: onlyexecutables, enabled:1, value: true
>>> ID: skiplargerthan, enabled:1, value: 20480
>>>
>>> Scan global:
>>> ID: global, enabled:1
>>> ID: addtocontextmenu, enabled:1, value: false
>>> ID: playsoundoninfection, enabled:1, value: false
>>> ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav
>>>
>>> Scheduled scan settings:
>>> <Empty>
>>>
>>> Update settings:
>>> ID: updates, enabled:1
>>> ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
>>> ID: displaystatus, enabled:1, value: false
>>> ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
>>> ID: autodetectproxy, enabled:1, value: false
>>> ID: useautoconfigscript, enabled:1, value: false
>>> ID: autoconfigurl, enabled:0, value:
>>> ID: useproxy, enabled:1, value: false
>>> ID: proxyserver, enabled:0, value:
>>> ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
>>> ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
>>> ID: schedules, enabled:1, value: true
>>> ID: updatedaily, enabled:1, value: Daily
>>> ID: time, enabled:1, value: Mon Apr 20 00:24:00 2009
>>> ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
>>> ID: weekdays, enabled:1
>>> ID: monday, enabled:1, value: false
>>> ID: tuesday, enabled:1, value: false
>>> ID: wednesday, enabled:1, value: false
>>> ID: thursday, enabled:1, value: false
>>> ID: friday, enabled:1, value: false
>>> ID: saturday, enabled:1, value: false
>>> ID: sunday, enabled:1, value: false
>>> ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
>>> ID: scanprofile, enabled:1, value:
>>> ID: auto_deal_with_infections, enabled:1, value: false
>>> ID: updateweekly, enabled:1, value: Weekly
>>> ID: time, enabled:1, value: Mon Apr 20 00:24:00 2009
>>> ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
>>> ID: weekdays, enabled:1
>>> ID: monday, enabled:1, value: true
>>> ID: tuesday, enabled:1, value: false
>>> ID: wednesday, enabled:1, value: false
>>> ID: thursday, enabled:1, value: false
>>> ID: friday, enabled:1, value: false
>>> ID: saturday, enabled:1, value: false
>>> ID: sunday, enabled:1, value: false
>>> ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
>>> ID: scanprofile, enabled:1, value:
>>> ID: auto_deal_with_infections, enabled:1, value: false
>>>
>>> Appearance settings:
>>> ID: appearance, enabled:1
>>> ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
>>> ID: showtrayicon, enabled:1, value: true
>>> ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language
>>>
>>> Realtime protection settings:
>>> ID: realtime, enabled:1
>>> ID: processprotection, enabled:1, value: true
>>> ID: registryprotection, enabled:0, value: false
>>> ID: networkprotection, enabled:0, value: false
>>> ID: loadatstartup, enabled:1, value: true
>>> ID: usespywareheuristics, enabled:0, value: true
>>> ID: extendedengine, enabled:0, value: false
>>> ID: useheuristics, enabled:0, value: false
>>> ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
>>> ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant
>>>
>>>
>>> ****************************** System information ******************************
>>> Computer name: NTH4553C
>>> Processor name: Intel® Pentium® 4 Mobile CPU 1.60GHz
>>> Processor identifier: x86 Family 15 Model 2 Stepping 4
>>> Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 516, number of processors 1
>>> Physical memory available: 480407552 bytes
>>> Physical memory total: 1072672768 bytes
>>> Virtual memory available: 2038734848 bytes
>>> Virtual memory total: 2147352576 bytes
>>> Memory load: 55%
>>> Microsoft Windows XP Professional Service Pack 2 (build 2600)
>>> Windows startup mode:
>>>
>>> Running processes:
>>> PID: 732 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 828 name: \??\C:\WINNT\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 852 name: \??\C:\WINNT\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 900 name: C:\WINNT\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 912 name: C:\WINNT\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1104 name: C:\WINNT\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1204 name: C:\WINNT\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
>>> PID: 1240 name: C:\WINNT\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1288 name: C:\WINNT\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
>>> PID: 1408 name: C:\WINNT\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
>>> PID: 1764 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1816 name: C:\WINNT\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1852 name: C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 568 name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 596 name: C:\WINNT\system32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 636 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 716 name: C:\WINNT\CATPC\CATSYS\CatSystemSvc.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 808 name: C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 832 name: C:\Centenn.ial\Audit\CAgent32.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1568 name: C:\Centenn.ial\Audit\xferwan.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1608 name: C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE owner: SMSCliSvcAcct& domain: NTH4553C
>>> PID: 1620 name: C:\Program Files\Siemens\HiPath 4000 Expert Access\ComWinSvc.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1424 name: C:\Program Files\Siemens\HiPath 4000 Expert Access\ComWinAccess.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1904 name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE owner: SYSTEM domain: NT AUTHORITY
>>> PID: 1972 name: C:\WINNT\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
>>> PID: 196 name: C:\Program Files\OfficeScan NT\ntrtscan.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 272 name: C:\Program Files\Siemens Communications\PCAuditorService\PCAuditorService.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 328 name: C:\WINNT\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
>>> PID: 428 name: C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 576 name: C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 680 name: C:\WINNT\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 948 name: C:\Program Files\OfficeScan NT\tmlisten.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 2260 name: C:\WINNT\TEMP\UV3734.EXE owner: SYSTEM domain: NT AUTHORITY
>>> PID: 2356 name: C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe owner: SMSCliToknLocalAcct& domain: NTH4553C
>>> PID: 3244 name: C:\WINNT\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 3436 name: C:\WINNT\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
>>> PID: 3456 name: C:\WINNT\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 3884 name: C:\Program Files\OfficeScan NT\CNTAoSMgr.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 3996 name: C:\WINNT\MS\SMS\clicomp\sinv\sinv32.exe owner: SMSCliToknLocalAcct& domain: NTH4553C
>>> PID: 488 name: C:\WINNT\Explorer.EXE owner: graeme.truluck domain: GB002
>>> PID: 2424 name: C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe owner: SMSCliToknLocalAcct& domain: NTH4553C
>>> PID: 2524 name: C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe owner: graeme.truluck domain: GB002
>>> PID: 3612 name: C:\WINNT\AGRSMMSG.exe owner: graeme.truluck domain: GB002
>>> PID: 3644 name: C:\Program Files\Apoint2K\Apoint.exe owner: graeme.truluck domain: GB002
>>> PID: 2520 name: C:\WINNT\system32\atiptaxx.exe owner: graeme.truluck domain: GB002
>>> PID: 4092 name: C:\Program Files\OfficeScan NT\pccntmon.exe owner: graeme.truluck domain: GB002
>>> PID: 132 name: C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE owner: graeme.truluck domain: GB002
>>> PID: 212 name: C:\Program Files\Apoint2K\Apntex.exe owner: graeme.truluck domain: GB002
>>> PID: 1968 name: C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe owner: graeme.truluck domain: GB002
>>> PID: 2288 name: C:\Program Files\Logitech\QuickCam\Quickcam.exe owner: graeme.truluck domain: GB002
>>> PID: 2408 name: C:\Program Files\iTunes\iTunesHelper.exe owner: graeme.truluck domain: GB002
>>> PID: 892 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: graeme.truluck domain: GB002
>>> PID: 2812 name: C:\WINNT\system32\rundll32.exe owner: graeme.truluck domain: GB002
>>> PID: 2904 name: C:\WINNT\system32\ctfmon.exe owner: graeme.truluck domain: GB002
>>> PID: 3028 name: C:\Program Files\Messenger\msmsgs.exe owner: graeme.truluck domain: GB002
>>> PID: 3064 name: C:\Program Files\DNA\btdna.exe owner: graeme.truluck domain: GB002
>>> PID: 3332 name: C:\Program Files\Siemens\HiPath 4000 Expert Access\comwinsvr.exe owner: graeme.truluck domain: GB002
>>> PID: 1584 name: C:\Program Files\Iomega\Iomega Backup\dtsc.exe owner: graeme.truluck domain: GB002
>>> PID: 4064 name: C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe owner: graeme.truluck domain: GB002
>>> PID: 256 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY
>>> PID: 5692 name: C:\Program Files\Internet Explorer\iexplore.exe owner: graeme.truluck domain: GB002
>>> PID: 3056 name: C:\WINNT\system32\taskmgr.exe owner: graeme.truluck domain: GB002
>>> PID: 5092 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: graeme.truluck domain: GB002
>>>
>>> Startup items:
>>> Name: AGRSMMSG
>>> imagepath: AGRSMMSG.exe
>>> Name: Java Profiles Fix
>>> imagepath: C:\Program Files\Java\Profile Fix\Java_Profile.exe
>>> Name: JavaProfileFix2
>>> imagepath: C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
>>> Name: Apoint
>>> imagepath: C:\Program Files\Apoint2K\Apoint.exe
>>> Name: ATIModeChange
>>> imagepath: Ati2mdxx.exe
>>> Name: AtiPTA
>>> imagepath: atiptaxx.exe
>>> Name: DirXconnect settings
>>> imagepath: C:\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
>>> Name: Synchronization Manager
>>> imagepath: mobsync.exe /logon
>>> Name: USM
>>> imagepath: C:\Program Files\Siemens\USM\USM.exe
>>> Name: FmViewF9
>>> imagepath: C:\PROGRA~1\WINCOR~1\FMView\FMVIEWF9.DLL -l
>>> Name: NeroFilterCheck
>>> imagepath: C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
>>> Name: OfficeScanNT Monitor
>>> imagepath: "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
>>> Name: SMS Application Launcher
>>> imagepath: C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
>>> Name: Discovery User Input
>>> imagepath: C:\Discovery\User Input\userin32.exe
>>> Name: KernelFaultCheck
>>> imagepath: %systemroot%\system32\dumprep 0 -k
>>> Name: AppleSyncNotifier
>>> imagepath: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
>>> Name: Adobe Reader Speed Launcher
>>> imagepath: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
>>> Name: JavaProfileFix3
>>> imagepath: "C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe"
>>> Name: LogitechQuickCamRibbon
>>> imagepath: "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
>>> Name: QuickTime Task
>>> imagepath: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
>>> Name: iTunesHelper
>>> imagepath: "C:\Program Files\iTunes\iTunesHelper.exe"
>>> Name: Ad-Watch
>>> imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
>>> Name: siruvatoko
>>> imagepath: Rundll32.exe "C:\WINNT\system32\yazazene.dll",s
>>> Name: SunJavaUpdateSched
>>> imagepath: "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
>>> Name: 1c7456bd
>>> imagepath: rundll32.exe "C:\WINNT\system32\muhonigu.dll",b
>>> Name: CPM1f476521
>>> imagepath: Rundll32.exe "c:\winnt\system32\dawotihi.dll",a
>>> Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
>>> imagepath: Browseui preloader
>>> Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
>>> imagepath: Component Categories cache daemon
>>> Name: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
>>> imagepath: STS
>>> Name: PostBootReminder
>>> imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
>>> Name: CDBurn
>>> imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
>>> Name: WebCheck
>>> imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
>>> Name: SysTray
>>> imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
>>> Name: WPDShServiceObj
>>> imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
>>> Name: SSODL
>>> imagepath: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
>>> Name: CTFMON.EXE
>>> imagepath: C:\WINNT\system32\CTFMON.EXE
>>> Name: NeroHomeFirstStart
>>> imagepath: "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe"
>>> Name:
>>> imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
>>> Name:
>>> location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Backup Scheduler.lnk
>>> imagepath: C:\WINNT\Installer\{54BB46E4-184C-44D0-8F05-256212EDCF6D}\Icon54BB46E4.exe
>>> Name:
>>> imagepath: C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
>>>
>>> Bootexecute items:
>>> Name:
>>> imagepath: autocheck autochk *
>>> Name:
>>> imagepath: lsdelete
>>>
>>> Running services:
>>> Name: ALG
>>> displayname: Application Layer Gateway Service
>>> Name: Apple Mobile Device
>>> displayname: Apple Mobile Device
>>> Name: AppMgmt
>>> displayname: Application Management
>>> Name: Ati HotKey Poller
>>> displayname: Ati HotKey Poller
>>> Name: AudioSrv
>>> displayname: Windows Audio
>>> Name: BITS
>>> displayname: Background Intelligent Transfer Service
>>> Name: Bonjour Service
>>> displayname: Bonjour Service
>>> Name: CatSystemSvc
>>> displayname: CatSystem
>>> Name: CBBS
>>> displayname: CAT Bulletin Board
>>> Name: CentennialClientAgent
>>> displayname: CentennialClientAgent
>>> Name: CentennialIPTransferAgent
>>> displayname: CentennialIPTransferAgent
>>> Name: clisvc
>>> displayname: SMS Client Service
>>> Name: ComWinService
>>> displayname: ComWin Service
>>> Name: CryptSvc
>>> displayname: Cryptographic Services
>>> Name: DcomLaunch
>>> displayname: DCOM Server Process Launcher
>>> Name: Dhcp
>>> displayname: DHCP Client
>>> Name: Dnscache
>>> displayname: DNS Client
>>> Name: Eventlog
>>> displayname: Event Log
>>> Name: EventSystem
>>> displayname: COM+ Event System
>>> Name: helpsvc
>>> displayname: Help and Support
>>> Name: HidServ
>>> displayname: HID Input Service
>>> Name: iPod Service
>>> displayname: iPod Service
>>> Name: Irmon
>>> displayname: Infrared Monitor
>>> Name: lanmanserver
>>> displayname: Server
>>> Name: lanmanworkstation
>>> displayname: Workstation
>>> Name: Lavasoft Ad-Aware Service
>>> displayname: Lavasoft Ad-Aware Service
>>> Name: LmHosts
>>> displayname: TCP/IP NetBIOS Helper
>>> Name: LVPrcSrv
>>> displayname: Process Monitor
>>> Name: MDM
>>> displayname: Machine Debug Manager
>>> Name: Messenger
>>> displayname: Messenger
>>> Name: Net Driver HPZ12
>>> displayname: Net Driver HPZ12
>>> Name: Netlogon
>>> displayname: Net Logon
>>> Name: Netman
>>> displayname: Network Connections
>>> Name: Nla
>>> displayname: Network Location Awareness (NLA)
>>> Name: ntrtscan
>>> displayname: OfficeScanNT RealTime Scan
>>> Name: PCAuditorService
>>> displayname: PCAuditorService
>>> Name: PlugPlay
>>> displayname: Plug and Play
>>> Name: Pml Driver HPZ12
>>> displayname: Pml Driver HPZ12
>>> Name: PolicyAgent
>>> displayname: IPSEC Services
>>> Name: ProtectedStorage
>>> displayname: Protected Storage
>>> Name: RasMan
>>> displayname: Remote Access Connection Manager
>>> Name: RemoteRegistry
>>> displayname: Remote Registry
>>> Name: RpcSs
>>> displayname: Remote Procedure Call (RPC)
>>> Name: SamSs
>>> displayname: Security Accounts Manager
>>> Name: Schedule
>>> displayname: Task Scheduler
>>> Name: seclogon
>>> displayname: Secondary Logon
>>> Name: SENS
>>> displayname: System Event Notification
>>> Name: SharedAccess
>>> displayname: Windows Firewall/Internet Connection Sharing (ICS)
>>> Name: ShellHWDetection
>>> displayname: Shell Hardware Detection
>>> Name: Spooler
>>> displayname: Print Spooler
>>> Name: srservice
>>> displayname: System Restore Service
>>> Name: SR_Service
>>> displayname: Check Point SecuRemote Service
>>> Name: SR_WatchDog
>>> displayname: Check Point SecuRemote WatchDog
>>> Name: SSDPSRV
>>> displayname: SSDP Discovery Service
>>> Name: stisvc
>>> displayname: Windows Image Acquisition (WIA)
>>> Name: TapiSrv
>>> displayname: Telephony
>>> Name: TermService
>>> displayname: Terminal Services
>>> Name: Themes
>>> displayname: Themes
>>> Name: tmlisten
>>> displayname: OfficeScan NT Listener
>>> Name: TrkWks
>>> displayname: Distributed Link Tracking Client
>>> Name: W32Time
>>> displayname: Windows Time
>>> Name: WebClient
>>> displayname: WebClient
>>> Name: winmgmt
>>> displayname: Windows Management Instrumentation
>>> Name: WZCSVC
>>> displayname: Wireless Zero Configuration
>>>
>>>

#2 Rorschach112

Advanced Member

Volunteer Security Advisor
2180 posts

Posted 15 June 2009 - 12:17 AM

hi

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

My help is always free, but if you want to donate to help me continue my fight against malware then click here

#3 GraemeT

Member

Members
14 posts

Posted 15 June 2009 - 01:27 AM

Hi,

Thanks for helping me out, here is he Combofix.txy log file, let me know how to proceed.

Graeme

ComboFix 09-06-14.02 - graeme.truluck 15/06/2009 0:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.496 [GMT 1:00]
Running from: c:\documents and settings\graeme.truluck\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\winnt\system32\kibekobu.dll
c:\winnt\system32\gedarehi.dll
c:\winnt\system32\fikisezi.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\winnt\system32\fewibaro.exe
c:\winnt\system32\geloguhu.exe
c:\winnt\system32\gonidumu.exe
c:\winnt\system32\jiluneja.exe
c:\winnt\system32\ramuyape.exe
c:\winnt\system32\vudipafo.exe
c:\winnt\system32\wohepoje.dll
c:\winnt\system32\yajewose.exe
c:\winnt\system32\zavokafe.exe
c:\winnt\TEMP\logishrd\LVPrcInj06.dll
c:\winnt\IE4 Error Log.txt
c:\winnt\system32\abobowof.ini
c:\winnt\system32\adanonif.ini
c:\winnt\system32\adigabun.ini
c:\winnt\system32\afidilik.ini
c:\winnt\system32\akoromiw.ini
c:\winnt\system32\bivehuso.dll
c:\winnt\system32\dawotihi.dll
c:\winnt\system32\ehazovew.ini
c:\winnt\system32\ekujezof.ini
c:\winnt\system32\eludanot.ini
c:\winnt\system32\finonada.dll
c:\winnt\system32\fomuboza.dll
c:\winnt\system32\fowoboba.dll
c:\winnt\system32\fujatoki.dll.tmp
c:\winnt\system32\gabojiki.dll
c:\winnt\system32\gawugude.dll
c:\winnt\system32\gedarehi.dll.tmp
c:\winnt\system32\gupupehi.dll
c:\winnt\system32\hutafivu.dll
c:\winnt\system32\ICE_JNIRegistry.dll
c:\winnt\system32\ihoboloy.ini
c:\winnt\system32\jipanidi.dll.tmp
c:\winnt\system32\kilidifa.dll
c:\winnt\system32\kufuzoku.dll
c:\winnt\system32\larifise.dll.tmp
c:\winnt\system32\lirikozu.dll
c:\winnt\system32\lirudoho.dll
c:\winnt\system32\litinika.dll
c:\winnt\system32\litinika.dll.tmp
c:\winnt\system32\masorewu.dll
c:\winnt\system32\muhonigu.dll
c:\winnt\system32\noleriji.dll
c:\winnt\system32\ohoduril.ini
c:\winnt\system32\okijeyip.ini
c:\winnt\system32\okogesob.ini
c:\winnt\system32\opavuhuz.ini
c:\winnt\system32\opigiwop.ini
c:\winnt\system32\ozizowiy.ini
c:\winnt\system32\rutahizo.dll
c:\winnt\system32\rutuwivi.dll.tmp
c:\winnt\system32\savudude.exe
c:\winnt\system32\sazuyaga.dll
c:\winnt\system32\tonadule.dll
c:\winnt\system32\uginohum.ini
c:\winnt\system32\uhujawuy.ini
c:\winnt\system32\uwerosam.ini
c:\winnt\system32\vajezinu.dll
c:\winnt\system32\viyetowu.dll
c:\winnt\system32\vurifegu.dll.tmp
c:\winnt\system32\wevozahe.dll
c:\winnt\system32\wimoroka.dll
c:\winnt\system32\wofujevo.dll
c:\winnt\system32\yegehija.dll
c:\winnt\system32\yegehija.dll.tmp
c:\winnt\system32\yetisono.dll.tmp
c:\winnt\system32\yolobohi.dll
c:\winnt\system32\yunewire.dll
c:\winnt\system32\yuwajuhu.dll
c:\winnt\system32\zuhuvapo.dll
c:\winnt\system32\zujerivi.dll

----- BITS: Possible infected sites -----

hxxp://193.33.61.188
.
((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-14 19:27 . 2009-06-14 19:27 -------- d-----w- c:\program files\Trend Micro
2009-06-14 19:12 . 2009-06-14 20:10 155 ----a-w- C:\d45.bat
2009-06-13 21:46 . 2009-06-13 21:46 -------- d-----w- c:\winnt\system32\wbem\Repository
2009-06-13 17:13 . 2009-06-13 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\10814314
2009-06-13 17:10 . 2009-06-14 19:19 87552 ----a-w- c:\winnt\system32\lupemepu.dll
2009-06-13 17:10 . 2009-06-14 19:19 79872 ----a-w- c:\winnt\system32\bosegoko.dll
2009-05-29 00:38 . 2009-05-29 00:37 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-05-26 23:35 . 2009-05-26 23:35 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-05-26 23:35 . 2009-05-26 23:35 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-05-26 23:35 . 2009-05-26 23:35 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-17 23:25 . 2009-05-17 23:25 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-05-16 20:08 . 2009-05-16 20:08 -------- d-----w- C:\HistView

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 00:11 . 2008-08-31 11:46 -------- d-----w- c:\program files\DNA
2009-06-15 00:11 . 2008-08-31 11:46 -------- d-----w- c:\documents and settings\graeme.truluck\Application Data\DNA
2009-06-15 00:08 . 2008-04-04 12:48 -------- d-----w- c:\program files\OfficeScan NT
2009-06-14 20:10 . 2009-03-14 20:10 15360 --sha-w- c:\winnt\system32\tukomiru.exe
2009-06-14 20:10 . 2009-03-14 20:10 80384 --sha-w- c:\winnt\system32\powigipo.dll
2009-06-14 20:10 . 2009-03-14 20:10 88064 ----a-w- c:\winnt\system32\fikisezi.dll.vir
2009-06-14 19:12 . 2009-03-14 19:12 49664 --sha-w- c:\winnt\system32\gumuluha.dll
2009-06-14 19:12 . 2009-03-14 19:12 88064 --sha-w- c:\winnt\system32\tumuwaku.dll
2009-06-14 19:12 . 2009-03-14 19:12 80384 --sha-w- c:\winnt\system32\piyejiko.dll
2009-06-14 19:12 . 2009-03-14 19:12 15360 --sha-w- c:\winnt\system32\tuwakebi.exe
2009-06-09 22:02 . 2008-07-11 16:39 -------- d-----w- c:\documents and settings\graeme.truluck\Application Data\Skype
2009-06-09 17:58 . 2005-03-21 11:48 -------- d-----w- c:\program files\Java
2009-06-09 17:44 . 2008-07-11 16:41 -------- d-----w- c:\documents and settings\graeme.truluck\Application Data\skypePM
2009-06-05 00:02 . 2008-08-31 11:47 -------- d-----w- c:\documents and settings\graeme.truluck\Application Data\BitTorrent
2009-05-26 23:35 . 2009-05-26 23:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-05-26 23:35 . 2009-04-20 08:13 15688 ----a-w- c:\winnt\system32\lsdelete.exe
2009-05-17 23:25 . 2009-04-19 23:24 64160 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2009-04-23 17:14 . 2009-04-23 17:14 -------- d-----w- c:\program files\7-Zip
2009-04-19 23:21 . 2009-04-19 23:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-19 23:21 . 2009-04-19 23:21 -------- d-----w- c:\program files\Lavasoft
2009-03-31 10:38 . 2009-03-31 10:38 0 ----a-w- c:\winnt\nsreg.dat
2009-03-29 23:33 . 2009-03-29 23:26 1878984 ----a-w- c:\documents and settings\graeme.truluck\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2006-12-29 14:15 . 2006-12-29 14:15 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2006-12-29 14:15 . 2006-12-29 14:15 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2006-12-29 14:15 . 2006-12-29 14:15 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2006-12-29 14:15 . 2006-12-29 14:15 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2006-12-07 09:26 . 2006-12-07 09:26 1129984 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2006-12-07 09:26 . 2006-12-07 09:26 1124864 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2009-03-14 19:13 . 2009-03-14 19:13 49664 --sha-w- c:\winnt\system32\rejikago.dll
2009-03-14 19:13 . 2009-03-14 19:13 49664 --sha-w- c:\winnt\system32\vomepizu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88cb6025-4ac4-4d85-b8b7-2021f796eb5f}]
2009-03-14 19:13 49664 --sha-w- c:\winnt\system32\rejikago.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CatUserRun"="exec32" [X]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-16 1611480]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-18 342848]
"ComWin-Frame"="c:\program files\Siemens\HiPath 4000 Expert Access\comwinsvr.exe" [2008-07-07 355328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Java Profiles Fix"="c:\program files\Java\Profile Fix\Java_Profile.exe" [2003-04-30 32768]
"JavaProfileFix2"="c:\program files\Java\Profile Fix\Java_Profile_2.exe" [2004-03-04 36864]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2001-08-09 118784]
"DirXconnect settings"="c:\progra~1\SIEMENS\DIRXDI~1\dxdSetup.exe" [2000-03-21 106561]
"USM"="c:\program files\Siemens\USM\USM.exe" [2007-11-07 57344]
"FmViewF9"="c:\progra~1\WINCOR~1\FMView\FMVIEWF9.DLL" [1999-03-08 11776]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"OfficeScanNT Monitor"="c:\program files\OfficeScan NT\pccntmon.exe" [2007-05-08 702072]
"SMS Application Launcher"="c:\winnt\MS\SMS\CORE\BIN\LAUNCH32.EXE" [2003-02-23 73584]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2007-02-22 225280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"JavaProfileFix3"="c:\program files\Java\Profile Fix\JAVA_Fix 3.exe" [2005-12-06 53248]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-26 518488]
"siruvatoko"="c:\winnt\system32\vomepizu.dll" [2009-03-14 49664]
"1c7456bd"="c:\winnt\system32\powigipo.dll" [2009-06-14 80384]
"AGRSMMSG"="AGRSMMSG.exe" - c:\winnt\AGRSMMSG.exe [2003-09-24 88363]
"ATIModeChange"="Ati2mdxx.exe" - c:\winnt\system32\Ati2mdxx.exe [2001-09-04 28672]
"AtiPTA"="atiptaxx.exe" - c:\winnt\system32\atiptaxx.exe [2002-02-08 315392]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2004-08-03 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="c:\program files\Common Files\Ahead\Lib\NMFirstStart.exe" [2006-06-01 11264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Iomega Backup Scheduler.lnk - c:\winnt\Installer\{54BB46E4-184C-44D0-8F05-256212EDCF6D}\Icon54BB46E4.exe [2008-4-4 46592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 0 (0x0)
"MaxGPOScriptWait"= 1800 (0x708)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoManageMyComputerVerb"= 1 (0x1)
"NoDFSTab"= 1 (0x1)
"NoRunasInstallPrompt"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"StartRunNoHOMEPATH"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-12-16 15:33 24672 ----a-w- c:\winnt\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1757981266-1326574676-725345543-39117\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1757981266-1326574676-725345543-39117\Scripts\Logoff\0\1]
"Script"=c:\winnt\Catpc\catsys\CATStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1757981266-1326574676-725345543-3989\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1757981266-1326574676-725345543-3989\Scripts\Logoff\0\1]
"Script"=c:\winnt\Catpc\catsys\CATStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-205172245-3898785446-1611566086-500\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINNT\\CATPC\\CATSYS\\CATStart.exe"=
"c:\\Program Files\\Apoint2K\\Apoint.exe"=
"c:\\WINNT\\explorer.exe"=

R3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\winnt\system32\drivers\A302.sys [2003-10-08 11831]
R3 CdProbe;CdProbe;c:\winnt\system32\DRIVERS\CDProbe.SYS [2008-06-23 9248]
R3 CONAN;CONAN;c:\winnt\system32\drivers\o2mmb.sys [2003-10-27 190465]
R3 MbxStby;MbxStby;c:\winnt\system32\drivers\MbxStby.sys [2003-08-26 5817]
R3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2007-11-06 34064]
R3 OMVA;VPN-1 SecureClient Adapter;c:\winnt\system32\DRIVERS\OMVA.sys [2004-12-16 14924]
S0 Lbd;Lbd;c:\winnt\system32\DRIVERS\Lbd.sys [2009-05-17 64160]
S2 CatSystemSvc;CatSystem;c:\winnt\CATPC\CATSYS\CatSystemSvc.exe [2008-07-02 607744]
S2 CBBS;CAT Bulletin Board;c:\program files\Siemens\CAT Bulletin Board\CBBS.exe [2002-06-20 65536]
S2 ComWinService;ComWin Service;c:\program files\Siemens\HiPath 4000 Expert Access\ComWinSvc.exe [2008-07-07 61440]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-05-26 1005904]
S2 PCAuditorService;PCAuditorService;c:\program files\Siemens Communications\PCAuditorService\PCAuditorService.exe [2008-12-12 17408]
S2 Scap;SecureClient Application Policy Module;c:\winnt\system32\DRIVERS\Scap.sys [2004-12-16 17456]
S2 TmFilter;Trend Micro Filter;c:\program files\OfficeScan NT\TmXPFlt.sys [2008-11-26 205328]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\OfficeScan NT\TmPreFlt.sys [2008-11-26 36368]
S2 VPN-1;VPN-1 Module;c:\winnt\System32\drivers\vpn.sys [2004-12-16 670128]
S3 FW1;SecuRemote Miniport;c:\winnt\system32\DRIVERS\fw.sys [2004-12-16 2041904]
S3 hhdusbh;USB Monitor Filter Driver;c:\winnt\system32\drivers\hhdusbh.sys [2007-10-02 35968]
S3 NETMW145;Belkin N1 Wireless Notebook Card Service for Windows XP;c:\winnt\system32\DRIVERS\NETMW145.sys [2006-08-16 553984]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-06-14 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:34]

2009-04-20 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
HKLM-Run-CPM1f476521 - c:\winnt\system32\fikisezi.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://insite.intranet.siemenscomms.co.uk/
uInternet Settings,ProxyServer = GBNTHT12015SRV:8080
uInternet Settings,ProxyOverride = *.sitest.net;*.siemens.net;*.siemens.de;127.0.0.1;localhost;NTH4553C;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 216.10.121.30
Trusted Zone: affiniti.com
Trusted Zone: atlas.co.uk
Trusted Zone: att.com\attpbm.web
Trusted Zone: cisco.com
Trusted Zone: conferencelobby.com
Trusted Zone: conferencing.com
Trusted Zone: confirmit.com
Trusted Zone: corporateexpress.co.uk
Trusted Zone: custhelp.com
Trusted Zone: designafairs.com
Trusted Zone: documentgenie.co.uk
Trusted Zone: ecommittees.bsi-global.com
Trusted Zone: edvantage.net
Trusted Zone: freeway.demo.lionbridge.com
Trusted Zone: g-dms.com
Trusted Zone: genesys.com
Trusted Zone: genesysmeetingcenter.com
Trusted Zone: genesysrichmedia.com
Trusted Zone: google.com
Trusted Zone: hipath-partnernet.icn.siemens.com
Trusted Zone: iconf.net
Trusted Zone: lufthansa.com
Trusted Zone: mchp7fra.siemens.com
Trusted Zone: mcmplus.com
Trusted Zone: microsoft.com
Trusted Zone: monsoon5.com
Trusted Zone: mrtedtalentlink.com
Trusted Zone: multimediabrains.nl
Trusted Zone: mymeetingplace.net
Trusted Zone: openscape.siemenscomms.net
Trusted Zone: passport.com
Trusted Zone: plantro.net
Trusted Zone: polycom.com
Trusted Zone: procon.cpdni.gov.uk
Trusted Zone: raindance.com
Trusted Zone: remedy.com
Trusted Zone: retaillink.wal-mart.com
Trusted Zone: rightnowdemo.com
Trusted Zone: rightnowtech.com
Trusted Zone: sap-ag.de
Trusted Zone: sap.com
Trusted Zone: siebel.com
Trusted Zone: siemens-cam.com
Trusted Zone: siemenscomms.co.uk
Trusted Zone: silentedge.co.uk
Trusted Zone: thomasinternational.net
Trusted Zone: vebra.com
Trusted Zone: webex.com
Trusted Zone: microsoft.com
Trusted Zone: sap-ag.de
Trusted Zone: sap.com
TCP: {6B3E5D43-083F-4C69-9951-244100FAB5ED} = 172.23.3.8,172.24.35.206
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} - hxxps://www.g-dms.com/img/webexp/lledit.cab
FF - ProfilePath - c:\documents and settings\graeme.truluck\Application Data\Mozilla\Firefox\Profiles\tseiol1a.default\
FF - prefs.js: network.proxy.ftp - GBNTHT12015SRV
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - GBNTHT12015SRV
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - GBNTHT12015SRV
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - GBNTHT12015SRV
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - GBNTHT12015SRV
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 01:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\winnt\system32\opigiwop.ini 121 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6900)
c:\winnt\TEMP\logishrd\LVPrcInj01.dll
c:\winnt\system32\powigipo.dll
c:\winnt\system32\vomepizu.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\program files\Ipswitch\WS_FTP Pro\nsftpch.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\winnt\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\centenn.ial\AUDIT\cagent32.exe
c:\centenn.ial\AUDIT\xferwan.exe
c:\winnt\ms\sms\CORE\BIN\clisvcl.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Siemens\HiPath 4000 Expert Access\ComWinAccess.exe
c:\program files\OfficeScan NT\NTRtScan.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\OfficeScan NT\TmListen.exe
c:\winnt\Temp\EV848E.EXE
c:\winnt\ms\sms\clicomp\apa\Bin\SMSAPM32.exe
c:\winnt\system32\wbem\unsecapp.exe
c:\program files\OfficeScan NT\CNTAoSMgr.exe
c:\program files\Siemens\CAT Bulletin Board\CBB.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\winnt\system32\CF30459.exe
c:\program files\Apoint2K\ApntEx.exe
c:\winnt\ms\sms\clicomp\SWDist32\bin\SMSMon32.exe
c:\winnt\system32\rundll32.exe
c:\program files\Iomega\Iomega Backup\dtsc.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\winnt\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-06-15 1:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-15 00:22

Pre-Run: 5,404,610,560 bytes free
Post-Run: 6,167,744,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

421

#4 Rorschach112

Advanced Member

Volunteer Security Advisor
2180 posts

Posted 15 June 2009 - 01:20 PM

hi

Open notepad and copy/paste the text in the quotebox below into it:

http://www.lavasofts...showtopic=26016

Collect::
C:\d45.bat
c:\winnt\system32\lupemepu.dll
c:\winnt\system32\bosegoko.dll
c:\winnt\system32\tukomiru.exe
c:\winnt\system32\powigipo.dll
c:\winnt\system32\fikisezi.dll.vir
c:\winnt\system32\gumuluha.dll
c:\winnt\system32\tumuwaku.dll
c:\winnt\system32\piyejiko.dll
c:\winnt\system32\tuwakebi.exe
c:\winnt\system32\rejikago.dll
c:\winnt\system32\vomepizu.dll

folder::
c:\documents and settings\All Users\Application Data\10814314
file::
Rootkit::
c:\winnt\system32\opigiwop.ini
Suspect::

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

My help is always free, but if you want to donate to help me continue my fight against malware then click here

#5 GraemeT

Member

Members
14 posts

Posted 15 June 2009 - 08:56 PM

Hi there,

My PC is much much better now, applications are working better and the battery on the laptop is lasting longer already.

Let me know if there is anything more I need to do?

Cheers

G

ComboFix 09-06-14.02 - graeme.truluck 15/06/2009 16:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.482 [GMT 1:00]
Running from: c:\documents and settings\graeme.truluck\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\graeme.truluck\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {D9D5906F-5437-4F48-A05C-3F3C29210780}

file zipped: C:\d45.bat
file zipped: c:\winnt\system32\bosegoko.dll
file zipped: c:\winnt\system32\gumuluha.dll
file zipped: c:\winnt\system32\lupemepu.dll
file zipped: c:\winnt\system32\piyejiko.dll
file zipped: c:\winnt\system32\powigipo.dll
file zipped: c:\winnt\system32\rejikago.dll
file zipped: c:\winnt\system32\tukomiru.exe
file zipped: c:\winnt\system32\tumuwaku.dll
file zipped: c:\winnt\system32\tuwakebi.exe
file zipped: c:\winnt\system32\vomepizu.dll
.
The following files were disabled during the run:
c:\winnt\system32\kibekobu.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\10814314
c:\winnt\TEMP\logishrd\LVPrcInj01.dll
C:\d45.bat
c:\documents and settings\All Users\Application Data\10814314\10814314.glu
c:\documents and settings\All Users\Application Data\10814314\pc10814314cnf
c:\documents and settings\All Users\Application Data\10814314\pc10814314ins
c:\winnt\system32\bosegoko.dll
c:\winnt\system32\gedarehi.dll
c:\winnt\system32\gumuluha.dll
c:\winnt\system32\lupemepu.dll
c:\winnt\system32\opigiwop.ini
c:\winnt\system32\piyejiko.dll
c:\winnt\system32\powigipo.dll
c:\winnt\system32\rejikago.dll
c:\winnt\system32\tukomiru.exe
c:\winnt\system32\tumuwaku.dll
c:\winnt\system32\tuwakebi.exe
c:\winnt\system32\vomepizu.dll
U:\RECYCLER

.
((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-15 16:01 . 2009-06-15 16:01 -------- d-----w- c:\documents and settings\graeme.truluck\Qoobox
2009-06-14 19:27 . 2009-06-14 19:27 -------- d-----w- c:\program files\Trend Micro
2009-06-13 21:46 . 2009-06-13 21:46 -------- d-----w- c:\winnt\system32\wbem\Repository
2009-05-29 00:38 . 2009-05-29 00:37 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-05-26 23:35 . 2009-05-26 23:35 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-05-26 23:35 . 2009-05-26 23:35 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-05-26 23:35 . 2009-05-26 23:35 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-17 23:25 . 2009-05-17 23:25 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-05-16 20:08 . 2009-05-16 20:08 -------- d-----w- C:\HistView

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 16:01 . 2008-08-31 11:46 -------- d-----w- c:\program files\DNA
2009-06-15 16:01 . 2008-08-31 11:46 -------- d-----w- c:\documents and settings\graeme.truluck\Application Data\DNA
2009-06-15 15:54 . 2008-04-04 12:48 -------- d-----w- c:\program files\OfficeScan NT
2009-06-15 09:13 . 2005-03-21 11:51 -------- d-----w- c:\program files\Siemens
2009-06-14 20:10 . 2009-03-14 20:10 88064 ----a-w- c:\winnt\system32\fikisezi.dll
2009-06-09 22:02 . 2008-07-11 16:39 -------- d-----w- c:\documents and settings\graeme.truluck\Application Data\Skype
2009-06-09 17:58 . 2005-03-21 11:48 -------- d-----w- c:\program files\Java
2009-06-09 17:44 . 2008-07-11 16:41 -------- d-----w- c:\documents and settings\graeme.truluck\Application Data\skypePM
2009-06-05 00:02 . 2008-08-31 11:47 -------- d-----w- c:\documents and settings\graeme.truluck\Application Data\BitTorrent
2009-05-26 23:35 . 2009-05-26 23:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-05-26 23:35 . 2009-04-20 08:13 15688 ----a-w- c:\winnt\system32\lsdelete.exe
2009-05-17 23:25 . 2009-04-19 23:24 64160 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2009-04-23 17:14 . 2009-04-23 17:14 -------- d-----w- c:\program files\7-Zip
2009-04-19 23:21 . 2009-04-19 23:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-19 23:21 . 2009-04-19 23:21 -------- d-----w- c:\program files\Lavasoft
2009-03-31 10:38 . 2009-03-31 10:38 0 ----a-w- c:\winnt\nsreg.dat
2009-03-29 23:33 . 2009-03-29 23:26 1878984 ----a-w- c:\documents and settings\graeme.truluck\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2006-12-29 14:15 . 2006-12-29 14:15 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2006-12-29 14:15 . 2006-12-29 14:15 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2006-12-29 14:15 . 2006-12-29 14:15 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2006-12-29 14:15 . 2006-12-29 14:15 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2006-12-07 09:26 . 2006-12-07 09:26 1129984 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2006-12-07 09:26 . 2006-12-07 09:26 1124864 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
.

((((((((((((((((((((((((((((( SnapShot@2009-06-15_00.11.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-15 16:01 . 2009-06-15 16:01 16384 c:\winnt\Temp\Perflib_Perfdata_f58.dat
+ 2008-04-04 12:17 . 2008-07-09 07:38 26488 c:\winnt\system32\spupdsvc.exe
- 2008-04-04 12:22 . 2008-07-09 07:38 17272 c:\winnt\system32\spmsg.dll
+ 2008-04-04 12:22 . 2007-11-30 12:39 17272 c:\winnt\system32\spmsg.dll
+ 2005-03-21 18:09 . 2009-02-03 20:08 55808 c:\winnt\system32\secur32.dll
- 2005-03-21 18:09 . 2004-08-03 22:56 55808 c:\winnt\system32\secur32.dll
+ 2005-03-21 18:09 . 2009-02-06 09:54 35328 c:\winnt\system32\sc.exe
+ 2005-03-21 18:09 . 2009-02-20 08:30 39424 c:\winnt\system32\pngfilt.dll
- 2005-03-21 18:09 . 2008-10-16 10:37 39424 c:\winnt\system32\pngfilt.dll
+ 2005-03-21 18:09 . 2009-06-15 09:56 71370 c:\winnt\system32\perfc009.dat
- 2005-03-21 18:09 . 2009-04-13 21:21 71370 c:\winnt\system32\perfc009.dat
+ 2005-03-21 11:30 . 2008-06-12 14:16 91648 c:\winnt\system32\mtxoci.dll
+ 2005-03-21 18:08 . 2008-06-12 14:16 66560 c:\winnt\system32\mtxclu.dll
- 2005-03-21 18:08 . 2006-03-01 19:42 66560 c:\winnt\system32\mtxclu.dll
+ 2005-03-21 11:30 . 2008-06-12 14:16 58880 c:\winnt\system32\msdtclog.dll
- 2005-03-21 11:30 . 2004-08-03 22:56 58880 c:\winnt\system32\msdtclog.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 16384 c:\winnt\system32\jsproxy.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 16384 c:\winnt\system32\jsproxy.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 96256 c:\winnt\system32\inseng.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 96256 c:\winnt\system32\inseng.dll
- 2005-03-21 18:07 . 2004-08-03 22:56 81920 c:\winnt\system32\ieencode.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 81920 c:\winnt\system32\ieencode.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 55808 c:\winnt\system32\extmgr.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 55808 c:\winnt\system32\extmgr.dll
- 2005-03-21 18:09 . 2004-08-03 22:56 55808 c:\winnt\system32\dllcache\secur32.dll
+ 2005-03-21 18:09 . 2009-02-03 20:08 55808 c:\winnt\system32\dllcache\secur32.dll
+ 2005-03-21 18:09 . 2009-02-06 09:54 35328 c:\winnt\system32\dllcache\sc.exe
+ 2005-03-21 18:09 . 2009-02-20 08:30 39424 c:\winnt\system32\dllcache\pngfilt.dll
- 2005-03-21 18:09 . 2008-10-16 10:37 39424 c:\winnt\system32\dllcache\pngfilt.dll
+ 2005-03-21 11:30 . 2008-06-12 14:16 91648 c:\winnt\system32\dllcache\mtxoci.dll
+ 2005-03-21 18:08 . 2008-06-12 14:16 66560 c:\winnt\system32\dllcache\mtxclu.dll
- 2005-03-21 18:08 . 2006-03-01 19:42 66560 c:\winnt\system32\dllcache\mtxclu.dll
- 2005-03-21 11:30 . 2004-08-03 22:56 58880 c:\winnt\system32\dllcache\msdtclog.dll
+ 2005-03-21 11:30 . 2008-06-12 14:16 58880 c:\winnt\system32\dllcache\msdtclog.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 16384 c:\winnt\system32\dllcache\jsproxy.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 16384 c:\winnt\system32\dllcache\jsproxy.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 96256 c:\winnt\system32\dllcache\inseng.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 96256 c:\winnt\system32\dllcache\inseng.dll
- 2005-03-21 18:07 . 2004-08-03 22:56 81920 c:\winnt\system32\dllcache\ieencode.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 81920 c:\winnt\system32\dllcache\ieencode.dll
+ 2005-03-21 11:32 . 2009-02-19 09:58 18432 c:\winnt\system32\dllcache\iedw.exe
- 2005-03-21 11:32 . 2008-10-15 09:45 18432 c:\winnt\system32\dllcache\iedw.exe
- 2005-03-21 18:07 . 2008-10-16 10:37 55808 c:\winnt\system32\dllcache\extmgr.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 55808 c:\winnt\system32\dllcache\extmgr.dll
- 2005-03-21 11:30 . 2005-07-26 04:39 60416 c:\winnt\system32\dllcache\colbact.dll
+ 2005-03-21 11:30 . 2005-07-26 04:20 60416 c:\winnt\system32\dllcache\colbact.dll
+ 2005-03-21 11:39 . 2009-06-15 09:57 32768 c:\winnt\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-03-21 11:39 . 2009-06-13 23:20 32768 c:\winnt\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-03-21 11:39 . 2009-06-15 09:57 32768 c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-03-21 11:39 . 2009-06-13 23:20 32768 c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-03-21 11:39 . 2009-06-13 23:20 16384 c:\winnt\system32\config\systemprofile\Cookies\index.dat
+ 2005-03-21 11:39 . 2009-06-15 09:57 16384 c:\winnt\system32\config\systemprofile\Cookies\index.dat
- 2005-03-21 11:30 . 2005-07-26 04:39 60416 c:\winnt\system32\colbact.dll
+ 2005-03-21 11:30 . 2005-07-26 04:20 60416 c:\winnt\system32\colbact.dll
+ 2009-06-15 09:13 . 2009-06-15 09:13 4608 c:\winnt\Installer\{ADD95407-96C4-4991-ABE4-39817704A5FC}\IconADD95407.exe
+ 2009-06-15 15:55 . 2007-05-08 00:43 300656 c:\winnt\Temp\QT8BB3.EXE
- 2008-04-04 11:58 . 2008-10-15 14:00 351744 c:\winnt\system32\xpsp3res.dll
+ 2008-04-04 11:58 . 2009-02-19 09:47 351744 c:\winnt\system32\xpsp3res.dll
+ 2005-03-21 18:04 . 2009-02-20 08:30 659456 c:\winnt\system32\wininet.dll
- 2005-03-21 18:04 . 2008-10-16 10:37 659456 c:\winnt\system32\wininet.dll
+ 2005-03-21 18:11 . 2008-12-16 12:47 351232 c:\winnt\system32\winhttp.dll
- 2005-03-21 18:11 . 2004-08-03 22:56 351232 c:\winnt\system32\winhttp.dll
+ 2005-03-21 11:30 . 2009-02-06 09:41 227840 c:\winnt\system32\wbem\wmiprvse.exe
+ 2005-03-21 11:30 . 2009-02-10 17:31 453120 c:\winnt\system32\wbem\wmiprvsd.dll
+ 2005-03-21 11:30 . 2009-02-09 10:01 473088 c:\winnt\system32\wbem\fastprox.dll
+ 2005-03-21 18:04 . 2009-02-20 08:30 616448 c:\winnt\system32\urlmon.dll
- 2005-03-21 18:09 . 2008-10-16 10:37 474112 c:\winnt\system32\shlwapi.dll
+ 2005-03-21 18:09 . 2009-02-20 08:30 474112 c:\winnt\system32\shlwapi.dll
+ 2005-03-21 18:09 . 2009-02-06 10:22 110592 c:\winnt\system32\services.exe
- 2005-03-21 18:09 . 2007-04-25 14:21 144896 c:\winnt\system32\schannel.dll
+ 2005-03-21 18:09 . 2008-12-05 07:12 144896 c:\winnt\system32\schannel.dll
+ 2005-03-21 18:09 . 2009-02-09 10:01 401408 c:\winnt\system32\rpcss.dll
+ 2005-03-21 18:09 . 2009-06-15 09:56 439832 c:\winnt\system32\perfh009.dat
- 2005-03-21 18:09 . 2009-04-13 21:21 439832 c:\winnt\system32\perfh009.dat
+ 2005-03-21 18:09 . 2009-03-06 14:00 284160 c:\winnt\system32\pdh.dll
+ 2005-03-21 18:08 . 2009-02-09 10:01 715264 c:\winnt\system32\ntdll.dll
- 2005-03-21 18:08 . 2008-10-16 10:37 532480 c:\winnt\system32\mstime.dll
+ 2005-03-21 18:08 . 2009-02-20 08:30 532480 c:\winnt\system32\mstime.dll
+ 2005-03-21 18:08 . 2009-02-20 08:30 146432 c:\winnt\system32\msrating.dll
- 2005-03-21 18:08 . 2008-10-16 10:37 146432 c:\winnt\system32\msrating.dll
- 2005-03-21 18:08 . 2008-10-16 10:37 449024 c:\winnt\system32\mshtmled.dll
+ 2005-03-21 18:08 . 2009-02-20 08:30 449024 c:\winnt\system32\mshtmled.dll
+ 2005-03-21 11:30 . 2008-06-12 14:16 161792 c:\winnt\system32\msdtcuiu.dll
+ 2005-03-21 11:30 . 2008-06-12 14:16 956928 c:\winnt\system32\msdtctm.dll
+ 2005-03-21 11:30 . 2008-06-12 14:16 428032 c:\winnt\system32\msdtcprx.dll
+ 2005-03-21 18:08 . 2009-02-09 10:01 728576 c:\winnt\system32\lsasrv.dll
+ 2005-03-21 18:07 . 2009-03-21 14:18 986112 c:\winnt\system32\kernel32.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 251392 c:\winnt\system32\iepeers.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 251392 c:\winnt\system32\iepeers.dll
- 2005-03-21 11:20 . 2009-02-07 01:19 222432 c:\winnt\system32\FNTCACHE.DAT
+ 2005-03-21 11:20 . 2009-06-15 09:51 222432 c:\winnt\system32\FNTCACHE.DAT
+ 2005-03-21 18:07 . 2009-02-20 08:30 205312 c:\winnt\system32\dxtrans.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 205312 c:\winnt\system32\dxtrans.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 357888 c:\winnt\system32\dxtmsft.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 357888 c:\winnt\system32\dxtmsft.dll
+ 2005-03-21 11:30 . 2008-04-21 10:02 215552 c:\winnt\system32\dllcache\wordpad.exe
+ 2005-03-21 11:30 . 2009-02-06 09:41 227840 c:\winnt\system32\dllcache\wmiprvse.exe
+ 2005-03-21 11:30 . 2009-02-10 17:31 453120 c:\winnt\system32\dllcache\wmiprvsd.dll
- 2005-03-21 18:04 . 2008-10-16 10:37 659456 c:\winnt\system32\dllcache\wininet.dll
+ 2005-03-21 18:04 . 2009-02-20 08:30 659456 c:\winnt\system32\dllcache\wininet.dll
- 2005-03-21 18:11 . 2004-08-03 22:56 351232 c:\winnt\system32\dllcache\winhttp.dll
+ 2005-03-21 18:11 . 2008-12-16 12:47 351232 c:\winnt\system32\dllcache\winhttp.dll
+ 2005-03-21 18:04 . 2009-02-20 08:30 616448 c:\winnt\system32\dllcache\urlmon.dll
+ 2005-03-21 18:09 . 2009-02-20 08:30 474112 c:\winnt\system32\dllcache\shlwapi.dll
- 2005-03-21 18:09 . 2008-10-16 10:37 474112 c:\winnt\system32\dllcache\shlwapi.dll
+ 2005-03-21 18:09 . 2009-02-06 10:22 110592 c:\winnt\system32\dllcache\services.exe
- 2005-03-21 18:09 . 2007-04-25 14:21 144896 c:\winnt\system32\dllcache\schannel.dll
+ 2005-03-21 18:09 . 2008-12-05 07:12 144896 c:\winnt\system32\dllcache\schannel.dll
+ 2005-03-21 18:09 . 2009-02-09 10:01 401408 c:\winnt\system32\dllcache\rpcss.dll
+ 2005-03-21 18:09 . 2009-03-06 14:00 284160 c:\winnt\system32\dllcache\pdh.dll
+ 2005-03-21 18:08 . 2009-02-09 10:01 715264 c:\winnt\system32\dllcache\ntdll.dll
+ 2005-03-21 18:08 . 2009-02-20 08:30 532480 c:\winnt\system32\dllcache\mstime.dll
- 2005-03-21 18:08 . 2008-10-16 10:37 532480 c:\winnt\system32\dllcache\mstime.dll
- 2005-03-21 18:08 . 2008-10-16 10:37 146432 c:\winnt\system32\dllcache\msrating.dll
+ 2005-03-21 18:08 . 2009-02-20 08:30 146432 c:\winnt\system32\dllcache\msrating.dll
+ 2005-03-21 18:08 . 2009-02-20 08:30 449024 c:\winnt\system32\dllcache\mshtmled.dll
- 2005-03-21 18:08 . 2008-10-16 10:37 449024 c:\winnt\system32\dllcache\mshtmled.dll
+ 2005-03-21 11:30 . 2008-06-12 14:16 161792 c:\winnt\system32\dllcache\msdtcuiu.dll
+ 2005-03-21 11:30 . 2008-06-12 14:16 956928 c:\winnt\system32\dllcache\msdtctm.dll
+ 2005-03-21 11:30 . 2008-06-12 14:16 428032 c:\winnt\system32\dllcache\msdtcprx.dll
+ 2005-03-21 18:08 . 2009-02-09 10:01 728576 c:\winnt\system32\dllcache\lsasrv.dll
+ 2005-03-21 18:07 . 2009-03-21 14:18 986112 c:\winnt\system32\dllcache\kernel32.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 251392 c:\winnt\system32\dllcache\iepeers.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 251392 c:\winnt\system32\dllcache\iepeers.dll
+ 2005-03-21 11:30 . 2009-02-09 10:01 473088 c:\winnt\system32\dllcache\fastprox.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 205312 c:\winnt\system32\dllcache\dxtrans.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 205312 c:\winnt\system32\dllcache\dxtrans.dll
- 2005-03-21 18:07 . 2008-10-16 10:37 357888 c:\winnt\system32\dllcache\dxtmsft.dll
+ 2005-03-21 18:07 . 2009-02-20 08:30 357888 c:\winnt\system32\dllcache\dxtmsft.dll
+ 2005-03-21 18:05 . 2009-02-20 08:30 151040 c:\winnt\system32\dllcache\cdfview.dll
- 2005-03-21 18:05 . 2008-10-16 10:37 151040 c:\winnt\system32\dllcache\cdfview.dll
+ 2005-03-21 18:05 . 2009-02-09 10:01 617984 c:\winnt\system32\dllcache\advapi32.dll
- 2005-03-21 18:05 . 2008-10-16 10:37 151040 c:\winnt\system32\cdfview.dll
+ 2005-03-21 18:05 . 2009-02-20 08:30 151040 c:\winnt\system32\cdfview.dll
+ 2005-03-21 18:05 . 2009-02-09 10:01 617984 c:\winnt\system32\advapi32.dll
+ 2009-06-15 09:29 . 2008-04-15 17:54 1724416 c:\winnt\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
- 2008-09-29 16:45 . 2008-04-15 17:54 1724416 c:\winnt\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
+ 2008-09-29 16:45 . 2008-04-15 17:54 1724416 c:\winnt\WinSxS\InstallTemp\2381711\GdiPlus.dll
+ 2005-03-21 18:10 . 2009-02-09 10:19 1846272 c:\winnt\system32\win32k.sys
+ 2005-03-21 18:09 . 2008-07-03 13:03 8460800 c:\winnt\system32\shell32.dll
+ 2005-03-21 18:04 . 2009-03-02 23:52 1495552 c:\winnt\system32\shdocvw.dll
+ 2005-03-21 18:09 . 2008-12-20 22:43 1287680 c:\winnt\system32\quartz.dll
- 2005-03-21 18:09 . 2008-05-07 05:18 1287680 c:\winnt\system32\quartz.dll
+ 2005-03-21 18:08 . 2009-02-06 10:32 2186112 c:\winnt\system32\ntoskrnl.exe
- 2004-08-03 22:59 . 2008-08-14 09:18 2062976 c:\winnt\system32\ntkrnlpa.exe
+ 2004-08-03 22:59 . 2009-02-06 09:49 2062976 c:\winnt\system32\ntkrnlpa.exe
+ 2005-03-21 18:04 . 2009-02-20 08:30 3059712 c:\winnt\system32\mshtml.dll
+ 2005-03-21 18:10 . 2009-02-09 10:19 1846272 c:\winnt\system32\dllcache\win32k.sys
+ 2005-03-21 18:09 . 2008-07-03 13:03 8460800 c:\winnt\system32\dllcache\shell32.dll
+ 2005-03-21 18:04 . 2009-03-02 23:52 1495552 c:\winnt\system32\dllcache\shdocvw.dll
- 2005-03-21 18:09 . 2008-05-07 05:18 1287680 c:\winnt\system32\dllcache\quartz.dll
+ 2005-03-21 18:09 . 2008-12-20 22:43 1287680 c:\winnt\system32\dllcache\quartz.dll
+ 2008-04-04 13:30 . 2009-02-06 10:32 2186112 c:\winnt\system32\dllcache\ntoskrnl.exe
- 2008-04-04 13:30 . 2008-08-14 09:18 2020864 c:\winnt\system32\dllcache\ntkrpamp.exe
+ 2008-04-04 13:30 . 2009-02-06 09:49 2020864 c:\winnt\system32\dllcache\ntkrpamp.exe
- 2007-02-28 00:15 . 2008-08-14 09:18 2062976 c:\winnt\system32\dllcache\ntkrnlpa.exe
+ 2007-02-28 00:15 . 2009-02-06 09:49 2062976 c:\winnt\system32\dllcache\ntkrnlpa.exe
- 2008-04-04 13:30 . 2008-08-14 09:55 2142720 c:\winnt\system32\dllcache\ntkrnlmp.exe
+ 2008-04-04 13:30 . 2009-02-06 10:29 2142720 c:\winnt\system32\dllcache\ntkrnlmp.exe
+ 2005-03-21 18:04 . 2009-02-20 08:30 3059712 c:\winnt\system32\dllcache\mshtml.dll
- 2005-03-21 18:05 . 2008-10-16 10:37 1054208 c:\winnt\system32\dllcache\danim.dll
+ 2005-03-21 18:05 . 2009-02-20 08:30 1054208 c:\winnt\system32\dllcache\danim.dll
+ 2005-03-21 18:04 . 2009-02-20 08:30 1023488 c:\winnt\system32\dllcache\browseui.dll
- 2005-03-21 18:04 . 2008-10-16 10:37 1023488 c:\winnt\system32\dllcache\browseui.dll
+ 2005-03-21 18:05 . 2009-02-20 08:30 1054208 c:\winnt\system32\danim.dll
- 2005-03-21 18:05 . 2008-10-16 10:37 1054208 c:\winnt\system32\danim.dll
- 2005-03-21 18:04 . 2008-10-16 10:37 1023488 c:\winnt\system32\browseui.dll
+ 2005-03-21 18:04 . 2009-02-20 08:30 1023488 c:\winnt\system32\browseui.dll
+ 2008-04-04 12:04 . 2009-02-06 10:32 2186112 c:\winnt\Driver Cache\i386\ntoskrnl.exe
- 2008-04-04 12:04 . 2008-08-14 09:18 2020864 c:\winnt\Driver Cache\i386\ntkrpamp.exe
+ 2008-04-04 12:04 . 2009-02-06 09:49 2020864 c:\winnt\Driver Cache\i386\ntkrpamp.exe
+ 2008-04-04 12:04 . 2009-02-06 09:49 2062976 c:\winnt\Driver Cache\i386\ntkrnlpa.exe
- 2008-04-04 12:04 . 2008-08-14 09:18 2062976 c:\winnt\Driver Cache\i386\ntkrnlpa.exe
- 2008-04-04 12:04 . 2008-08-14 09:55 2142720 c:\winnt\Driver Cache\i386\ntkrnlmp.exe
+ 2008-04-04 12:04 . 2009-02-06 10:29 2142720 c:\winnt\Driver Cache\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CatUserRun"="exec32" [X]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-16 1611480]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-18 342848]
"ComWin-Frame"="c:\program files\Siemens\HiPath 4000 Expert Access\comwinsvr.exe" [2008-07-07 355328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Java Profiles Fix"="c:\program files\Java\Profile Fix\Java_Profile.exe" [2003-04-30 32768]
"JavaProfileFix2"="c:\program files\Java\Profile Fix\Java_Profile_2.exe" [2004-03-04 36864]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2001-08-09 118784]
"DirXconnect settings"="c:\progra~1\SIEMENS\DIRXDI~1\dxdSetup.exe" [2000-03-21 106561]
"USM"="c:\program files\Siemens\USM\USM.exe" [2007-11-07 57344]
"FmViewF9"="c:\progra~1\WINCOR~1\FMView\FMVIEWF9.DLL" [1999-03-08 11776]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"OfficeScanNT Monitor"="c:\program files\OfficeScan NT\pccntmon.exe" [2007-05-08 702072]
"SMS Application Launcher"="c:\winnt\MS\SMS\CORE\BIN\LAUNCH32.EXE" [2003-02-23 73584]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2007-02-22 225280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"JavaProfileFix3"="c:\program files\Java\Profile Fix\JAVA_Fix 3.exe" [2005-12-06 53248]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-26 518488]
"AGRSMMSG"="AGRSMMSG.exe" - c:\winnt\AGRSMMSG.exe [2003-09-24 88363]
"ATIModeChange"="Ati2mdxx.exe" - c:\winnt\system32\Ati2mdxx.exe [2001-09-04 28672]
"AtiPTA"="atiptaxx.exe" - c:\winnt\system32\atiptaxx.exe [2002-02-08 315392]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2004-08-03 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="c:\program files\Common Files\Ahead\Lib\NMFirstStart.exe" [2006-06-01 11264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Iomega Backup Scheduler.lnk - c:\winnt\Installer\{54BB46E4-184C-44D0-8F05-256212EDCF6D}\Icon54BB46E4.exe [2008-4-4 46592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 0 (0x0)
"MaxGPOScriptWait"= 1800 (0x708)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoManageMyComputerVerb"= 1 (0x1)
"NoDFSTab"= 1 (0x1)
"NoRunasInstallPrompt"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"StartRunNoHOMEPATH"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-12-16 15:33 24672 ----a-w- c:\winnt\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1757981266-1326574676-725345543-39117\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1757981266-1326574676-725345543-39117\Scripts\Logoff\0\1]
"Script"=c:\winnt\Catpc\catsys\CATStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1757981266-1326574676-725345543-3989\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1757981266-1326574676-725345543-3989\Scripts\Logoff\0\1]
"Script"=c:\winnt\Catpc\catsys\CATStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-205172245-3898785446-1611566086-500\Scripts\Logoff\0\0]
"Script"=CBELogoff.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINNT\\CATPC\\CATSYS\\CATStart.exe"=
"c:\\Program Files\\Apoint2K\\Apoint.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LQCVFX\\COCIManager.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [20/04/2009 00:24 64160]
R2 CatSystemSvc;CatSystem;c:\winnt\CATPC\CATSYS\CatSystemSvc.exe [13/06/2008 11:27 607744]
R2 CBBS;CAT Bulletin Board;c:\program files\Siemens\CAT Bulletin Board\CBBS.exe [20/06/2002 18:52 65536]
R2 ComWinService;ComWin Service;c:\program files\Siemens\HiPath 4000 Expert Access\ComWinSvc.exe [07/07/2008 11:29 61440]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1005904]
R2 PCAuditorService;PCAuditorService;c:\program files\Siemens Communications\PCAuditorService\PCAuditorService.exe [12/12/2008 16:07 17408]
R2 Scap;SecureClient Application Policy Module;c:\winnt\system32\drivers\scap.sys [25/02/2009 19:34 17456]
R2 TmFilter;Trend Micro Filter;c:\program files\OfficeScan NT\tmxpflt.sys [06/09/2006 20:27 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\OfficeScan NT\tmpreflt.sys [06/09/2006 20:27 36368]
R2 VPN-1;VPN-1 Module;c:\winnt\system32\drivers\vpn.sys [25/02/2009 19:34 670128]
R3 FW1;SecuRemote Miniport;c:\winnt\system32\drivers\fw.sys [25/02/2009 19:35 2041904]
R3 hhdusbh;USB Monitor Filter Driver;c:\winnt\system32\drivers\hhdusbh.sys [22/11/2008 22:08 35968]
S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\winnt\system32\drivers\a302.sys [21/03/2005 19:14 11831]
S3 CdProbe;CdProbe;c:\winnt\system32\drivers\CDProbe.SYS [13/06/2008 14:59 9248]
S3 CONAN;CONAN;c:\winnt\system32\drivers\o2mmb.sys [21/03/2005 19:15 190465]
S3 MbxStby;MbxStby;c:\winnt\system32\drivers\MbxStby.sys [21/03/2005 19:15 5817]
S3 NETMW145;Belkin N1 Wireless Notebook Card Service for Windows XP;c:\winnt\system32\drivers\NETMW145.sys [08/12/2008 23:37 553984]
S3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [06/11/2007 21:22 34064]
S3 OMVA;VPN-1 SecureClient Adapter;c:\winnt\system32\drivers\OMVA.sys [25/02/2009 19:35 14924]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-06-14 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:34]

2009-04-20 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{88cb6025-4ac4-4d85-b8b7-2021f796eb5f} - c:\winnt\system32\rejikago.dll
HKLM-Run-siruvatoko - c:\winnt\system32\vomepizu.dll
HKLM-Run-1c7456bd - c:\winnt\system32\powigipo.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://insite.intranet.siemenscomms.co.uk/
uInternet Settings,ProxyServer = GBNTHT12015SRV:8080
uInternet Settings,ProxyOverride = *.sitest.net;*.siemens.net;*.siemens.de;127.0.0.1;localhost;NTH4553C;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 216.10.121.30
Trusted Zone: affiniti.com
Trusted Zone: atlas.co.uk
Trusted Zone: att.com\attpbm.web
Trusted Zone: cisco.com
Trusted Zone: conferencelobby.com
Trusted Zone: conferencing.com
Trusted Zone: confirmit.com
Trusted Zone: corporateexpress.co.uk
Trusted Zone: custhelp.com
Trusted Zone: designafairs.com
Trusted Zone: documentgenie.co.uk
Trusted Zone: ecommittees.bsi-global.com
Trusted Zone: edvantage.net
Trusted Zone: freeway.demo.lionbridge.com
Trusted Zone: g-dms.com
Trusted Zone: genesys.com
Trusted Zone: genesysmeetingcenter.com
Trusted Zone: genesysrichmedia.com
Trusted Zone: google.com
Trusted Zone: hipath-partnernet.icn.siemens.com
Trusted Zone: iconf.net
Trusted Zone: lufthansa.com
Trusted Zone: mchp7fra.siemens.com
Trusted Zone: mcmplus.com
Trusted Zone: microsoft.com
Trusted Zone: monsoon5.com
Trusted Zone: mrtedtalentlink.com
Trusted Zone: multimediabrains.nl
Trusted Zone: mymeetingplace.net
Trusted Zone: openscape.siemenscomms.net
Trusted Zone: passport.com
Trusted Zone: plantro.net
Trusted Zone: polycom.com
Trusted Zone: procon.cpdni.gov.uk
Trusted Zone: raindance.com
Trusted Zone: remedy.com
Trusted Zone: retaillink.wal-mart.com
Trusted Zone: rightnowdemo.com
Trusted Zone: rightnowtech.com
Trusted Zone: sap-ag.de
Trusted Zone: sap.com
Trusted Zone: siebel.com
Trusted Zone: siemens-cam.com
Trusted Zone: siemenscomms.co.uk
Trusted Zone: silentedge.co.uk
Trusted Zone: thomasinternational.net
Trusted Zone: vebra.com
Trusted Zone: webex.com
Trusted Zone: microsoft.com
Trusted Zone: sap-ag.de
Trusted Zone: sap.com
TCP: {6B3E5D43-083F-4C69-9951-244100FAB5ED} = 172.23.3.8,172.24.35.206
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 17:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(604)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(7256)
c:\winnt\TEMP\logishrd\LVPrcInj01.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\program files\Ipswitch\WS_FTP Pro\nsftpch.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
c:\program files\Apoint2K\EzAuto.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\winnt\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\centenn.ial\AUDIT\cagent32.exe
c:\centenn.ial\AUDIT\xferwan.exe
c:\winnt\ms\sms\CORE\BIN\clisvcl.exe
c:\program files\Siemens\HiPath 4000 Expert Access\ComWinAccess.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\OfficeScan NT\NTRtScan.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\OfficeScan NT\TmListen.exe
c:\winnt\system32\wbem\unsecapp.exe
c:\winnt\ms\sms\clicomp\apa\Bin\SMSAPM32.exe
c:\program files\OfficeScan NT\CNTAoSMgr.exe
c:\winnt\Temp\QT8BB3.EXE
c:\program files\Siemens\CAT Bulletin Board\CBB.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\program files\Apoint2K\ApntEx.exe
c:\winnt\ms\sms\clicomp\SWDist32\bin\SMSMon32.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\winnt\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Iomega\Iomega Backup\dtsc.exe
c:\winnt\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-06-15 17:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-15 16:09
ComboFix2.txt 2009-06-15 00:22

Pre-Run: 5,057,740,800 bytes free
Post-Run: 5,106,200,576 bytes free

515

#6 Rorschach112

Advanced Member

Volunteer Security Advisor
2180 posts

Posted 15 June 2009 - 10:17 PM

hi

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

My help is always free, but if you want to donate to help me continue my fight against malware then click here

#7 GraemeT

Member

Members
14 posts

Posted 16 June 2009 - 05:39 AM

Hi there

Thank you for you assistance, here are the two scan files:

Malwarebytes' Anti-Malware 1.37
Database version: 2285
Windows 5.1.2600 Service Pack 2

15/06/2009 23:17:38
mbam-log-2009-06-15 (23-17-38).txt

Scan type: Quick Scan
Objects scanned: 129882
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{014da6cc-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{014da6cb-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\mozilla firefox\a.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\fikisezi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, June 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 16, 2009 00:07:21
Records in database: 2347468
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: Infected:
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
H:\
K:\
R:\
S:\

Scan statistics:
Files scanned: 83361
Threat name: 8
Infected objects: 88
Suspicious objects: 0
Duration of the scan: 04:35:03

Infected: / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINNT\system32\bivehuso.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\dawotihi.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\finonada.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\fomuboza.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\fowoboba.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\fujatoki.dll.tmp.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\gabojiki.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\gawugude.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\gupupehi.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\hutafivu.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\jipanidi.dll.tmp.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\kilidifa.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\kufuzoku.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\larifise.dll.tmp.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\lirudoho.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\masorewu.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\muhonigu.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\noleriji.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\rutahizo.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\rutuwivi.dll.tmp.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\sazuyaga.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\tonadule.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\vajezinu.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\viyetowu.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\vurifegu.dll.tmp.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\wevozahe.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\wimoroka.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\wofujevo.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\yetisono.dll.tmp.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\yolobohi.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\yunewire.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\yuwajuhu.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINNT\system32\zuhuvapo.dll.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINNT\system32\zujerivi.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\[4]-Submit_2009-06-15_16.42.55.zip Infected: Trojan.Win32.Monder.cmwt 5
C:\Qoobox\Quarantine\[4]-Submit_2009-06-15_16.42.55.zip Infected: Trojan.Win32.Small.bzi 2
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP523\A0046499.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP523\A0046500.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.br 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP523\A0046503.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP536\A0049711.EXE Infected: Worm.Win32.AutoRun.upy 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP541\A0050805.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP541\A0050806.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP541\A0050807.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP545\A0050917.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP545\A0050918.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP546\A0050991.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP546\A0050992.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP546\A0050993.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP546\A0051022.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP560\A0053099.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP562\A0054157.exe Infected: Trojan.Win32.Small.bzi 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP562\A0054158.exe Infected: Trojan-Dropper.Win32.Agent.atmg 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP562\A0054162.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP562\A0054258.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP562\A0054423.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054508.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054509.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054513.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054514.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054515.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054516.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054517.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054518.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054519.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054521.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054522.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054524.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054526.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054527.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054528.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054535.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054536.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054537.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054541.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054542.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054543.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054544.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054545.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054547.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054548.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054549.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054550.dll Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{906966FB-ED47-44B3-BCDD-810672AA5039}\RP565\A0054551.dll Infected: Trojan.Win32.Monder.cmwt 1

The selected area was scanned.

#8 Rorschach112

Advanced Member

Volunteer Security Advisor
2180 posts

Posted 16 June 2009 - 03:23 PM

post a new HJT Log

By the power of truth, I, while living, have conquered the universe.

~Scratch~

My help is always free, but if you want to donate to help me continue my fight against malware then click here

#9 GraemeT

Member

Members
14 posts

Posted 16 June 2009 - 08:33 PM

Hi,

As requested.

Regards,

G

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:53, on 16/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Siemens\HiPath 4000 Expert Access\ComWinSvc.exe
C:\Program Files\Siemens\HiPath 4000 Expert Access\ComWinAccess.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Siemens Communications\PCAuditorService\PCAuditorService.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\TEMP\WXE440.EXE
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\Program Files\OfficeScan NT\CNTAoSMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Siemens\HiPath 4000 Expert Access\comwinsvr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Wireshark\dumpcap.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\mstsc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insite.intran...enscomms.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://insite.intran...CATXP/xpcat.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = GBNTHT12015SRV:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sitest.net;*.siemens.net;*.siemens.de;127.0.0.1;localhost;NTH4553C;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {88cb6025-4ac4-4d85-b8b7-2021f796eb5f} - (no file)
O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - C:\Program Files\BS.Player ControlBar\BSToolbar.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [USM] C:\Program Files\Siemens\USM\USM.exe
O4 - HKLM\..\Run: [FmViewF9] C:\PROGRA~1\WINCOR~1\FMView\FMVIEWF9.DLL -l
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [JavaProfileFix3] "C:\Program Files\Java\Profile Fix\JAVA_Fix 3.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ComWin-Frame] C:\Program Files\Siemens\HiPath 4000 Expert Access\comwinsvr.exe /hidemainform
O4 - HKUS\S-1-5-21-205172245-3898785446-1611566086-1008\..\Run: [CatUserRun] wscript.exe "C:\Program Files\CatPC\CatLogon\CatUserRun.vbe" (User 'SMSCliSvcAcct&')
O4 - HKUS\S-1-5-21-205172245-3898785446-1611566086-1008\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'SMSCliSvcAcct&')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'Default user')
O4 - Global Startup: Iomega Backup Scheduler.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.216.10.121.30
O15 - Trusted Zone: *.affiniti.com
O15 - Trusted Zone: *.atlas.co.uk
O15 - Trusted Zone: *.cisco.com
O15 - Trusted Zone: *.conferencelobby.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.confirmit.com
O15 - Trusted Zone: *.corporateexpress.co.uk
O15 - Trusted Zone: *.custhelp.com
O15 - Trusted Zone: *.designafairs.com
O15 - Trusted Zone: *.documentgenie.co.uk
O15 - Trusted Zone: *.ecommittees.bsi-global.com
O15 - Trusted Zone: *.edvantage.net
O15 - Trusted Zone: *.freeway.demo.lionbridge.com
O15 - Trusted Zone: *.g-dms.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: *.genesysmeetingcenter.com
O15 - Trusted Zone: *.genesysrichmedia.com
O15 - Trusted Zone: *.hipath-partnernet.icn.siemens.com
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.lufthansa.com
O15 - Trusted Zone: *.mchp7fra.siemens.com
O15 - Trusted Zone: *.mcmplus.com
O15 - Trusted Zone: *.monsoon5.com
O15 - Trusted Zone: *.mrtedtalentlink.com
O15 - Trusted Zone: *.multimediabrains.nl
O15 - Trusted Zone: *.mymeetingplace.net
O15 - Trusted Zone: *.openscape.siemenscomms.net
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.plantro.net
O15 - Trusted Zone: *.polycom.com
O15 - Trusted Zone: *.procon.cpdni.gov.uk
O15 - Trusted Zone: *.raindance.com
O15 - Trusted Zone: *.remedy.com
O15 - Trusted Zone: *.retaillink.wal-mart.com
O15 - Trusted Zone: *.rightnowdemo.com
O15 - Trusted Zone: *.rightnowtech.com
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.siebel.com
O15 - Trusted Zone: *.siemens-cam.com
O15 - Trusted Zone: *.siemenscomms.co.uk
O15 - Trusted Zone: *.silentedge.co.uk
O15 - Trusted Zone: *.thomasinternational.net
O15 - Trusted Zone: *.vebra.com
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: *.sap-ag.de (HKLM)
O15 - Trusted Zone: *.sap.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_13) -
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink Edit Control) - https://www.g-dms.co...bexp/lledit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gb002.siemens.net
O17 - HKLM\Software\..\Telephony: DomainName = gb002.siemens.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B3E5D43-083F-4C69-9951-244100FAB5ED}: Domain = gb002.siemens.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B3E5D43-083F-4C69-9951-244100FAB5ED}: NameServer = 172.23.3.8,172.24.35.206
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gb002.siemens.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CatSystem (CatSystemSvc) - Siemens AG - C:\WINNT\CATPC\CATSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: ComWin Service (ComWinService) - Unknown owner - C:\Program Files\Siemens\HiPath 4000 Expert Access\ComWinSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: PCAuditorService - Siemens Enterprise Communications Ltd - C:\Program Files\Siemens Communications\PCAuditorService\PCAuditorService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

--
End of file - 12941 bytes

#10 Rorschach112

Advanced Member

Volunteer Security Advisor
2180 posts

Posted 16 June 2009 - 11:10 PM

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html

Below I have included a number of recommendations for how to protect your computer against malware infections.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
- McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

My help is always free, but if you want to donate to help me continue my fight against malware then click here

#11 Rorschach112

Advanced Member

Volunteer Security Advisor
2180 posts

Posted 20 June 2009 - 08:46 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !

By the power of truth, I, while living, have conquered the universe.

~Scratch~

My help is always free, but if you want to donate to help me continue my fight against malware then click here

Back to Resolved/Inactive HijackThis Logs

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users