Inactive [InActive] Desktop Infected

deester · 2009/01/05

Logfile of random's system information tool 1.05 (written by random/random)
Run by Dee at 2009-01-05 18:35:10
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 44 GB (76%) free of 57 GB
Total RAM: 479 MB (37% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:26 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Winferno\WSS\WSS.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\1211853138\ee\AOLSoftware.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
D:\LELA\setup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dee\Desktop\RSIT.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dee.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1211853138\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe "
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [MSI Configuration] msiconf.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [e©Ã¹Ã½Ã¹Ã†Ã»Ã¯Ã¨Ã³ÃŽÃ‡Ã¸Ã¸ÃˆÃ¸Ã´Ã£ÃŠÃ½ÃÃ±Ã»Ã‡ÃžÃ³] C:\Program Files\XP Antivirus\xpa.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [74574266311245236118584784498563] C:\Program Files\XP Antivirus\xpa.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [Cognac] C:\DOCUME~1\ted\LOCALS~1\Temp\~tmpb.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [MSFox] C:\DOCUME~1\ted\LOCALS~1\Temp\a.exe (User 'ted')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - S-1-5-21-527237240-764733703-725345543-1004 Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe (User 'ted')
O4 - S-1-5-21-527237240-764733703-725345543-1004 User Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe (User 'ted')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Winferno Subscription Service - Capital Intellect Inc - C:\Program Files\Common Files\Winferno\WSS\WSS.exe

--
End of file - 10926 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\Microsoft_Hardware_Launch_setup_exe.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\ParetoLogic Update.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\WSSHelper.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-01-19 806424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2}]
My Web Search Bar BHO - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
CNavExtBho Class - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll [2002-11-14 112248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-01-19 806424]
{8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - WeatherBug Browser Bar - powered by MyWebSearch - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL []
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll [2002-11-14 112248]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint "=c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2006-11-21 842584]
"ccApp "=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2002-08-19 50880]
"ccRegVfy "=C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe [2002-08-19 34504]
"HostManager "=C:\Program Files\Common Files\AOL\1211853138\ee\AOLSoftware.exe [2007-10-08 41824]
"VX3000 "=C:\WINDOWS\vVX3000.exe [2006-12-05 707360]
"QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-02-05 98304]
"Lexmark X6100 Series "=C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe [2003-05-16 57344]
"SiteAdvisor "=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe []
"SiSUSBRG "=C:\WINDOWS\SiSUSBrg.exe [2002-07-12 106496]
"SiS Windows KeyHook "=C:\WINDOWS\system32\keyhook.exe [2004-05-12 249856]
"PinnacleDriverCheck "=C:\WINDOWS\system32\PSDrvCheck.exe [2003-11-10 406016]
"NeroFilterCheck "=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"ISUSScheduler "=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-06-16 81920]
"ISUSPM Startup "=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-06-16 221184]
"AOLDialer "=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [2006-10-23 71216]
"Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"SoundMan "=C:\WINDOWS\SOUNDMAN.EXE [2004-02-26 65024]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2007-10-18 5724184]
"ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
C:\Program Files\Microsoft LifeCam\LifeExp.exe [2007-01-12 275800]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe [2007-02-05 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE [2003-12-13 630915]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\BACKWE~1.EXE [2003-06-08 16432]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
C:\PROGRA~1\MICROS~2\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-08-24 133120]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=145
"NoDrives "=0
"NoResolveSearch "=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun "=
"NoDriveTypeAutoRun "=
"NoDrives "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Common Files\AOL\Loader\aolload.exe "= "C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader "
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe "= "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL "
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe "= "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL "
"C:\Program Files\Common Files\AOL\System Information\sinf.exe "= "C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL "
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe "= "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe:*:Enabled:backWeb-7288971 "
"C:\WINDOWS\system32\LEXPPS.EXE "= "C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE "
"C:\Program Files\Microsoft LifeCam\LifeCam.exe "= "C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe "
"C:\Program Files\Microsoft LifeCam\LifeExp.exe "= "C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe "
"C:\Program Files\Common Files\AOL\1211853138\ee\aolsoftware.exe "= "C:\Program Files\Common Files\AOL\1211853138\ee\aolsoftware.exe:*:Enabled:AOL Shared Components "
"C:\Program Files\AOL 9.1\waol.exe "= "C:\Program Files\AOL 9.1\waol.exe:*:Enabled:AOL "
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe "= "C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed "
"C:\Program Files\Common Files\AOL\1211853138\ee\AOLDesktop.exe "= "C:\Program Files\Common Files\AOL\1211853138\ee\AOLDesktop.exe:*:Enabled:AOL Desktop "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe "= "C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger "
"C:\Program Files\Windows Live\Messenger\livecall.exe "= "C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe "= "C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger "
"C:\Program Files\Windows Live\Messenger\livecall.exe "= "C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) "

======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 3 months======

2009-01-05 18:35:10 ----D---- C:\rsit
2008-12-12 03:05:15 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 03:01:13 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 03:00:56 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-11-13 03:01:34 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-13 03:01:26 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-13 03:01:10 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-10-25 21:06:24 ----SHD---- C:\Config.Msi
2008-10-24 02:00:47 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-16 02:01:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-16 02:01:52 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-16 02:01:45 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-16 02:00:59 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-16 02:00:42 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$

======List of files/folders modified in the last 3 months======

2009-01-05 18:35:05 ----D---- C:\WINDOWS\Prefetch
2009-01-05 18:33:02 ----D---- C:\Program Files\Mozilla Firefox
2009-01-05 13:32:15 ----D---- C:\WINDOWS\temp
2009-01-05 13:27:52 ----A---- C:\VETlog.txt
2009-01-05 13:27:38 ----A---- C:\WINDOWS\win.ini
2009-01-05 12:48:48 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-05 10:12:35 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-01-04 15:30:44 ----A---- C:\WINDOWS\lexstat.ini
2009-01-04 04:28:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-01 21:31:42 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-31 11:54:13 ----D---- C:\Temp
2008-12-30 19:50:41 ----SHD---- C:\WINDOWS\Installer
2008-12-26 13:59:44 ----D---- C:\Program Files\Google
2008-12-25 17:53:39 ----HD---- C:\WINDOWS\inf
2008-12-18 04:28:55 ----D---- C:\WINDOWS
2008-12-18 03:07:37 ----D---- C:\WINDOWS\system32
2008-12-18 03:00:26 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-16 20:30:09 ----A---- C:\WINDOWS\NeroDigital.ini
2008-12-13 01:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 18:44:16 ----D---- C:\WINDOWS\WinSxS
2008-12-12 18:44:00 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-12 18:43:59 ----D---- C:\WINDOWS\system32\drivers
2008-12-12 18:43:48 ----D---- C:\Program Files\Common Files
2008-12-12 18:42:49 ----D---- C:\Program Files\Pure Networks
2008-12-12 18:42:36 ----SD---- C:\WINDOWS\system32\Microsoft
2008-12-12 03:05:20 ----A---- C:\WINDOWS\imsins.BAK
2008-12-12 03:04:49 ----D---- C:\Program Files\Internet Explorer
2008-12-09 18:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-11-20 11:15:48 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2008-11-19 05:46:11 ----D---- C:\WINDOWS\Help
2008-11-02 16:35:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-26 18:45:51 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-26 18:41:24 ----D---- C:\WINDOWS\system32\wbem
2008-10-26 18:38:19 ----D---- C:\WINDOWS\system32\config
2008-10-26 18:37:55 ----D---- C:\WINDOWS\Registration
2008-10-26 18:35:39 ----D---- C:\WINDOWS\system32\Restore
2008-10-23 07:36:14 ----A---- C:\WINDOWS\system32\gdi32.dll
2008-10-23 05:06:59 ----N---- C:\WINDOWS\system32\tzchange.exe
2008-10-16 15:38:40 ----A---- C:\WINDOWS\system32\wininet.dll
2008-10-16 15:38:39 ----N---- C:\WINDOWS\system32\occache.dll
2008-10-16 15:38:39 ----N---- C:\WINDOWS\system32\mstime.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\url.dll
2008-10-16 15:38:39 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-10-16 15:38:38 ----N---- C:\WINDOWS\system32\msrating.dll
2008-10-16 15:38:38 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-10-16 15:38:37 ----N---- C:\WINDOWS\system32\jsproxy.dll
2008-10-16 15:38:37 ----N---- C:\WINDOWS\system32\iernonce.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-10-16 15:38:37 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-10-16 15:38:35 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2008-10-16 15:38:35 ----N---- C:\WINDOWS\system32\ieaksie.dll
2008-10-16 15:38:35 ----N---- C:\WINDOWS\system32\ieakeng.dll
2008-10-16 15:38:35 ----N---- C:\WINDOWS\system32\extmgr.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-10-16 15:38:35 ----A---- C:\WINDOWS\system32\icardie.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-10-16 15:38:34 ----A---- C:\WINDOWS\system32\advpack.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:08:58 ----A---- C:\WINDOWS\system32\wups.dll
2008-10-16 14:07:44 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-16 14:07:14 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\muweb.dll
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-10-16 08:11:09 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2008-10-16 08:11:09 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32(2).dll
2008-10-15 02:04:53 ----N---- C:\WINDOWS\system32\ieakui.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 DcCam;Kodak Camera Proxy; C:\WINDOWS\system32\DRIVERS\DcCam.sys [2003-12-05 36918]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\DRIVERS\srvkp.sys [2004-05-11 12416]
R1 vobiw;vobiw; C:\WINDOWS\system32\drivers\vobiw.sys [2004-07-06 188416]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2007-02-05 8552]
R2 DCFS2K;Kodak DCFS2K Driver; C:\WINDOWS\system32\drivers\dcfs2k.sys [2003-11-16 38737]
R2 SAVRTPEL;SAVRTPEL; \??\C:\WINDOWS\system32\Drivers\SAVRTPEL.SYS []
R2 SYMTDI;SYMTDI; \??\C:\WINDOWS\system32\Drivers\SYMTDI.SYS []
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-23 400384]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-03-19 613244]
R3 ASAPIW2K;ASAPIW2K; C:\WINDOWS\System32\Drivers\ASAPIW2K.sys [2003-11-28 11264]
R3 cdrdrv;Cdrdrv; C:\WINDOWS\System32\Drivers\Cdrdrv.sys [2004-06-01 64000]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081231.003\NAVENG.Sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081231.003\NavEx15.Sys []
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2006-11-07 21760]
R3 SAVRT;SAVRT; \??\C:\WINDOWS\system32\Drivers\SAVRT.SYS []
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2004-05-14 217600]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; \??\C:\WINDOWS\system32\Drivers\SYMREDRV.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S1 Exportit;Exportit; C:\WINDOWS\system32\DRIVERS\exportit.sys [2003-12-05 148529]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 DcFpoint;DcFpoint; C:\WINDOWS\system32\DRIVERS\DcFpoint.sys [2003-09-30 61564]
S3 DcLps;Legacy Polling Service; C:\WINDOWS\system32\DRIVERS\DcLps.sys [2003-09-30 8022]
S3 DcPTP;dcptp; C:\WINDOWS\system32\DRIVERS\DcPTP.sys [2003-12-05 68182]
S3 FXDRV;FXDRV; \??\D:\Fxdrv.sys []
S3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2008-04-13 20352]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 VX3000;VX-3000; C:\WINDOWS\system32\DRIVERS\VX3000.sys [2006-12-05 1964064]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2002-08-08 308936]
R2 KodakCCS;Kodak Camera Connection Software; C:\WINDOWS\system32\drivers\KodakCCS.exe [2003-12-05 314424]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-05-16 303104]
R2 MSCamSvc;MSCamSvc; C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-01-04 240408]
R2 navapsvc;Norton AntiVirus Auto Protect Service; C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe [2002-11-14 116336]
R2 ScsiAccess;ScsiAccess; C:\WINDOWS\system32\ScsiAccess.EXE [2003-02-04 181312]
R2 Winferno Subscription Service;Winferno Subscription Service; C:\Program Files\Common Files\Winferno\WSS\WSS.exe [2007-09-07 126976]
S2 SBService;ScriptBlocking Service; C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe [2001-08-13 54408]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 ccPwdSvc;Symantec Password Validation Service; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2002-08-19 63176]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------
http://www.windowsbbs.com/windows-xp/80201-infected-desktop.html

noahdfear · 2009/01/05

Hi deester,

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix

Download ComboFix by sUBs from here, saving the file to your desktop.

Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click ComboFix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

deester · 2009/01/06

Thanks Noah for your help. I never use this computer so I know nothing about it.
ComboFix 09-01-05.05 - Dee 2009-01-06 7:26:14.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.163 [GMT -5:00]
Running from: c:\documents and settings\Dee\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-05 18:35 . 2009-01-05 18:35 <DIR> d-------- C:\rsit
2008-12-25 18:02 . 2009-01-05 10:13 <DIR> d-------- c:\documents and settings\Dee\Contacts
2008-12-18 03:06 . 2008-12-18 03:06 268 --ah----- C:\sqmdata18.sqm
2008-12-18 03:06 . 2008-12-18 03:06 244 --ah----- C:\sqmnoopt18.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 12:09 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-26 18:59 --------- d-----w c:\program files\Google
2008-12-12 23:42 --------- d-----w c:\program files\Pure Networks
2008-11-20 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\netapi32(2).dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-06-19 17:04 32 --sha-w c:\windows\{907E937B-59BD-46EB-8C00-170EA0FF8DE4}.dat
2008-06-19 17:05 32 --sha-w c:\windows\{BE0F15FE-3B90-4612-95E9-E497C6D4CEB1}.dat
2008-06-19 17:05 32 --sha-w c:\windows\system32\{809E1F85-AA19-4CE1-A8FA-0A36AE60E149}.dat
2008-06-19 17:04 32 --sha-w c:\windows\system32\{F8D91BE1-CE2B-45BE-A911-032EFD33BE03}.dat
2008-10-04 19:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy "= "c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"HostManager "= "c:\program files\Common Files\AOL\1211853138\ee\AOLSoftware.exe" [2007-10-08 41824]
"VX3000 "= "c:\windows\vVX3000.exe" [2006-12-05 707360]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-02-05 98304]
"Lexmark X6100 Series "= "c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-05-16 57344]
"SiSUSBRG "= "c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiS Windows KeyHook "= "c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"AOLDialer "= "c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan "= "SOUNDMAN.EXE" [2004-02-26 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert "= "c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\ted\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2007-04-12 42032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-02-05 335872]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0daila

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-02-05 18:09 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe "=
"c:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\aolsoftware.exe "=
"c:\\Program Files\\AOL 9.1\\waol.exe "=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\AOLDesktop.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP "= 67:UDPHCP Discovery Service

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-08-01 29239]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-07-06 188416]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-06-01 64000]
R4 Winferno Subscription Service;Winferno Subscription Service;c:\program files\Common Files\Winferno\WSS\WSS.exe [2008-02-25 126976]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2007-12-27 c:\windows\Tasks\Microsoft_Hardware_Launch_setup_exe.job
- D:\setup.exe []

2009-01-03 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2002-11-14 18:31]

2009-01-03 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2002-08-29 20:30]

2009-01-06 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2007-09-18 23:55]

2009-01-06 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]

2009-01-06 c:\windows\Tasks\WSSHelper.job
- c:\program files\Common Files\Winferno\WSS\WSSHelper.exe [2007-07-26 12:49]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2 - (no file)
HKLM-Run-SiteAdvisor - c:\program files\SiteAdvisor\6172\SiteAdv.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = localhost
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Dee\Application Data\Mozilla\Firefox\Profiles\20qh97m7.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 07:28:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-764733703-725345543-1004\Software\Microsoft\MSN Apps\Buttons\C*NULL*B*NULL*_*NULL*m*NULL*i*NULL*c*NULL*r*NULL*o*NULL*s*NULL*o*NULL*f*NULL*t*NULL*.*NULL*w*NULL*Å’j2G]
"Zone "=dword:00000003
"Pos "=dword:00000001
"Visible "=dword:00000001
.
Completion time: 2009-01-06 7:30:03
ComboFix-quarantined-files.txt 2009-01-06 12:29:46
ComboFix2.txt 2008-08-09 05:10:26

Pre-Run: 45,509,234,688 bytes free
Post-Run: 45,842,870,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

190 --- E O F --- 2008-12-18 08:00:57

noahdfear · 2009/01/06

Please scan with HijackThis and save the log, then post it here.

deester · 2009/01/06

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:21 AM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Winferno\WSS\WSS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\1211853138\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1211853138\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe "
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [MSI Configuration] msiconf.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [e©Ã¹Ã½Ã¹Ã†Ã»Ã¯Ã¨Ã³ÃŽÃ‡Ã¸Ã¸ÃˆÃ¸Ã´Ã£ÃŠÃ½ÃÃ±Ã»Ã‡ÃžÃ³] C:\Program Files\XP Antivirus\xpa.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [74574266311245236118584784498563] C:\Program Files\XP Antivirus\xpa.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [Cognac] C:\DOCUME~1\ted\LOCALS~1\Temp\~tmpb.exe (User 'ted')
O4 - HKUS\S-1-5-21-527237240-764733703-725345543-1004\..\Run: [MSFox] C:\DOCUME~1\ted\LOCALS~1\Temp\a.exe (User 'ted')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - S-1-5-21-527237240-764733703-725345543-1004 Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe (User 'ted')
O4 - S-1-5-21-527237240-764733703-725345543-1004 User Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe (User 'ted')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Winferno Subscription Service - Capital Intellect Inc - C:\Program Files\Common Files\Winferno\WSS\WSS.exe

--
End of file - 10688 bytes

noahdfear · 2009/01/06

Appears there is a user account named ted on the machine. Please delete the copy of ComboFix you have, then logon to the ted account, download a fresh copy of ComboFix from here and run it as previously described. Post the log it creates here.

deester · 2009/01/07

Noah,
I have been unable to download Combofix under Ted's account. I have tried every way I know, it will not work from the links or websites. Please help. Thanks.
Deester

noahdfear · 2009/01/07

Log back into your account and download it. Save it directly to the root of the drive (Local Disk C: )
Log back into the ted account and run ComboFix from where it is.

deester · 2009/01/08

I know I'm not the sharpest tool in the shed, but I'm having no luck at all with this. I have spent hours and still cannot get Combofix where I can run on Ted's account.
Deester

noahdfear · 2009/01/08

Hmmmm........ back on your account, download a fresh copy again but give it a different name prior to saving it. Save it to the drive root again. Try running from ted once more.

deester · 2009/01/08

I am not able to save to anything, all I get is the run function. Even when I get the save function, it does not give me an option to save to a destination. This has got me completely frustrated.
Thanks for your help,
Deester

noahdfear · 2009/01/08

Open the recycle bin and right click ComboFix.exe then select Restore.
If there are 2 copies, restore them both.
There should now be one on your desktop and one in Local Disk C:
Please make sure the copy in C: exists then proceed as follows.

Highlight and copy the contents of the code box below.
Code:
cd \
copy /y combofix.exe grumbofox.exe
exit
cls
Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

Now reboot the machine and begin tapping F8 upon startup to enable the Advanced Start Menu
Select Safe Mode from the list.
Logon to the ted account then open Local Disk C: and double click grumbofox.exe to run it.
If it runs successfully, allow it to reboot the machine if it wants and allow it to boot normally.
Logon to the ted account and wait for the tool to complete and the log to open.
Post the log here.

deester · 2009/01/09

I used a Flash drive
ComboFix 09-01-08.04 - ted 2009-01-09 5:29:38.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.97 [GMT -5:00]
Running from: c:\documents and settings\ted\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\windows media player\mplayer2.exe
c:\windows\system32\BUBHE6PH.exe.a_a
c:\windows\system32\msxml71.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-08 23:27 . 2009-01-08 23:27 73,728 --a------ c:\windows\system32\BUBHE6PH.exe
2009-01-08 19:25 . 2009-01-08 19:26 <DIR> d-------- C:\fixcombo
2009-01-05 18:35 . 2009-01-05 18:35 <DIR> d-------- C:\rsit
2008-12-25 18:02 . 2009-01-05 10:13 <DIR> d-------- c:\documents and settings\Dee\Contacts
2008-12-18 03:06 . 2008-12-18 03:06 268 --ah----- C:\sqmdata18.sqm
2008-12-18 03:06 . 2008-12-18 03:06 244 --ah----- C:\sqmnoopt18.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 10:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-26 18:59 --------- d-----w c:\program files\Google
2008-12-12 23:42 --------- d-----w c:\program files\Pure Networks
2008-11-20 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\netapi32(2).dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-06-19 17:04 32 --sha-w c:\windows\{907E937B-59BD-46EB-8C00-170EA0FF8DE4}.dat
2008-06-19 17:05 32 --sha-w c:\windows\{BE0F15FE-3B90-4612-95E9-E497C6D4CEB1}.dat
2008-06-19 17:05 32 --sha-w c:\windows\system32\{809E1F85-AA19-4CE1-A8FA-0A36AE60E149}.dat
2008-06-19 17:04 32 --sha-w c:\windows\system32\{F8D91BE1-CE2B-45BE-A911-032EFD33BE03}.dat
2008-10-04 19:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_ 7.28.33.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:19 1,033,728 -c--a-w c:\windows\system32\dllcache\explorer.exe
+ 2008-04-14 00:12:20 27,136 -c--a-w c:\windows\system32\dllcache\findstr.exe
+ 2008-04-14 00:11:54 144,384 -c--a-w c:\windows\system32\dllcache\imagehlp.dll
+ 2008-04-14 00:12:24 13,312 -c--a-w c:\windows\system32\dllcache\lsass.exe
+ 2008-04-14 00:11:58 71,680 -c--a-w c:\windows\system32\dllcache\msacm32.dll
+ 2008-04-14 00:12:02 551,936 -c--a-w c:\windows\system32\dllcache\oleaut32.dll
+ 2008-04-14 00:12:02 34,816 -c--a-w c:\windows\system32\dllcache\perfproc.dll
+ 2008-04-14 00:12:36 50,688 -c--a-w c:\windows\system32\dllcache\smss.exe
+ 2008-04-14 00:12:06 18,944 -c--a-w c:\windows\system32\dllcache\snmpapi.dll
+ 2008-04-14 00:12:36 57,856 -c--a-w c:\windows\system32\dllcache\spoolsv.exe
+ 2008-04-14 00:12:36 14,336 -c--a-w c:\windows\system32\dllcache\svchost.exe
+ 2008-04-14 00:12:08 26,112 -c--a-w c:\windows\system32\dllcache\vdmdbg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PhotoShow Deluxe Media Manager "= "c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"IW_Drop_Icon "= "c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2004-04-20 1122816]
"InstantTray "= "c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2004-05-06 772096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy "= "c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"HostManager "= "c:\program files\Common Files\AOL\1211853138\ee\AOLSoftware.exe" [2007-10-08 41824]
"VX3000 "= "c:\windows\vVX3000.exe" [2006-12-05 707360]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-02-05 98304]
"Lexmark X6100 Series "= "c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-05-16 57344]
"SiSUSBRG "= "c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiS Windows KeyHook "= "c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"AOLDialer "= "c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan "= "SOUNDMAN.EXE" [2004-02-26 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert "= "c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\ted\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2007-04-12 42032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-02-05 335872]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0daila

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-02-05 18:09 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe "=
"c:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\aolsoftware.exe "=
"c:\\Program Files\\AOL 9.1\\waol.exe "=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\AOLDesktop.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP "= 67:UDPHCP Discovery Service

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-08-01 29239]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-07-06 188416]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-06-01 64000]
R4 Winferno Subscription Service;Winferno Subscription Service;c:\program files\Common Files\Winferno\WSS\WSS.exe [2008-02-25 126976]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ATWPKT2
*Deregistered* - ATWPKT2
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\At1.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At10.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At11.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At12.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At13.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At14.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At15.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At16.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At17.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At18.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At19.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At2.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At20.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At21.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At22.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At23.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At24.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At3.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At4.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At5.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At6.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At7.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At8.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\At9.job
- c:\windows\system32\BUBHE6PH.exe [2009-01-08 23:27]

2009-01-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2007-12-27 c:\windows\Tasks\Microsoft_Hardware_Launch_setup_exe.job
- D:\setup.exe []

2009-01-03 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2002-11-14 18:31]

2009-01-03 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2002-08-29 20:30]

2009-01-08 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2007-09-18 23:55]

2009-01-09 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]

2009-01-09 c:\windows\Tasks\WSSHelper.job
- c:\program files\Common Files\Winferno\WSS\WSSHelper.exe [2007-07-26 12:49]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-AROReminder - c:\program files\Advanced Registry Optimizer\aro.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uStart Page = hxxp://www.mapquest.com
uInternet Settings,ProxyOverride = localhost
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZR
FF - ProfilePath - c:\documents and settings\ted\Application Data\Mozilla\Firefox\Profiles\ks0ev2j3.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 05:33:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-09 5:35:56
ComboFix-quarantined-files.txt 2009-01-09 10:35:52
ComboFix2.txt 2009-01-06 12:30:06
ComboFix3.txt 2008-08-09 05:10:26

Pre-Run: 46,485,381,120 bytes free
Post-Run: 46,459,817,984 bytes free

247 --- E O F --- 2008-12-18 08:00:57

deester · 2009/01/09

Noah,
Should have told you, I had already used the flash drive before I received your last instructions. Was bound and deterninined to get this thing done. Need to ask you a side question and if it is inappropriate, just tell me. I have a new laptop with Vista and I am not adjusting well, what am I getting into by switching to XP.
Thanks for your patience and help,
Deester

noahdfear · 2009/01/09

"deester said: ↑

I have a new laptop with Vista and I am not adjusting well, what am I getting into by switching to XP.
Click to expand...

Less security and back peddling. I don't know how long you've had Vista, but I encourage you to endure a while longer.

Good job deester! Complete the following from the ted account.

Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it next to ComboFix.exe as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
http://www.windowsbbs.com/malware-virus-removal/80204-active-desktop-infected.html#post436950

Collect::[22]
c:\windows\system32\BUBHE6PH.exe
Suspect::[22]
c:\windows\{907E937B-59BD-46EB-8C00-170EA0FF8DE4}.dat
c:\windows\{BE0F15FE-3B90-4612-95E9-E497C6D4CEB1}.dat
c:\windows\system32\{809E1F85-AA19-4CE1-A8FA-0A36AE60E149}.dat
c:\windows\system32\{F8D91BE1-CE2B-45BE-A911-032EFD33BE03}.dat
Driver::
FXDRV
File::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\Microsoft_Hardware_Launch_setup_exe.job
DDS::
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
IE: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZR
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send.

**NOTE - Allow ComboFix to update if prompted.

deester · 2009/01/10

I was not instructed to find any files to post in box, ? correctly.
ComboFix 09-01-09.03 - ted 2009-01-10 5:51:15.14 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.108 [GMT -5:00]
Running from: c:\documents and settings\ted\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\ted\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\Microsoft_Hardware_Launch_setup_exe.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\BUBHE6PH.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\Microsoft_Hardware_Launch_setup_exe.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FXDRV
-------\Service_FXDRV

((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-10 05:35 . 2009-01-10 05:34 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-10 05:03 . 2009-01-10 05:03 244 --ah----- C:\sqmnoopt19.sqm
2009-01-10 05:03 . 2009-01-10 05:03 232 --ah----- C:\sqmdata19.sqm
2009-01-09 06:08 . 2009-01-09 06:08 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-01-08 19:25 . 2009-01-08 19:26 <DIR> d-------- C:\fixcombo
2009-01-05 18:35 . 2009-01-05 18:35 <DIR> d-------- C:\rsit
2008-12-25 18:02 . 2009-01-05 10:13 <DIR> d-------- c:\documents and settings\Dee\Contacts
2008-12-18 03:06 . 2008-12-18 03:06 268 --ah----- C:\sqmdata18.sqm
2008-12-18 03:06 . 2008-12-18 03:06 244 --ah----- C:\sqmnoopt18.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 10:34 --------- d-----w c:\program files\Java
2009-01-10 10:29 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-10 09:47 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 16:11 --------- d-----w c:\program files\DX Enterprises CB. Antenna Guide
2008-12-26 18:59 --------- d-----w c:\program files\Google
2008-12-12 23:42 --------- d-----w c:\program files\Pure Networks
2008-11-20 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\netapi32(2).dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-06-19 17:04 32 --sha-w c:\windows\{907E937B-59BD-46EB-8C00-170EA0FF8DE4}.dat
2008-06-19 17:05 32 --sha-w c:\windows\{BE0F15FE-3B90-4612-95E9-E497C6D4CEB1}.dat
2008-06-19 17:05 32 --sha-w c:\windows\system32\{809E1F85-AA19-4CE1-A8FA-0A36AE60E149}.dat
2008-06-19 17:04 32 --sha-w c:\windows\system32\{F8D91BE1-CE2B-45BE-A911-032EFD33BE03}.dat
2008-10-04 19:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_ 7.28.33.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-01-10 09:48:26 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
+ 2008-04-14 00:12:19 1,033,728 -c--a-w c:\windows\system32\dllcache\explorer.exe
+ 2008-04-14 00:12:20 27,136 -c--a-w c:\windows\system32\dllcache\findstr.exe
+ 2008-04-14 00:11:54 144,384 -c--a-w c:\windows\system32\dllcache\imagehlp.dll
+ 2008-04-14 00:12:24 13,312 -c--a-w c:\windows\system32\dllcache\lsass.exe
+ 2008-04-14 00:11:58 71,680 -c--a-w c:\windows\system32\dllcache\msacm32.dll
+ 2008-04-14 00:12:02 551,936 -c--a-w c:\windows\system32\dllcache\oleaut32.dll
+ 2008-04-14 00:12:02 34,816 -c--a-w c:\windows\system32\dllcache\perfproc.dll
+ 2008-04-14 00:12:36 50,688 -c--a-w c:\windows\system32\dllcache\smss.exe
+ 2008-04-14 00:12:06 18,944 -c--a-w c:\windows\system32\dllcache\snmpapi.dll
+ 2008-04-14 00:12:36 57,856 -c--a-w c:\windows\system32\dllcache\spoolsv.exe
+ 2008-04-14 00:12:36 14,336 -c--a-w c:\windows\system32\dllcache\svchost.exe
+ 2008-04-14 00:12:08 26,112 -c--a-w c:\windows\system32\dllcache\vdmdbg.dll
+ 2008-04-14 00:12:39 507,904 -c--a-w c:\windows\system32\dllcache\winlogon.exe
- 2008-06-10 05:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-01-10 10:34:43 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 05:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-10 10:34:43 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 06:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-10 10:34:43 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-10 10:35:10 16,384 ----atw c:\windows\temp\Perflib_Perfdata_f78.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PhotoShow Deluxe Media Manager "= "c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"IW_Drop_Icon "= "c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2004-04-20 1122816]
"InstantTray "= "c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2004-05-06 772096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy "= "c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"HostManager "= "c:\program files\Common Files\AOL\1211853138\ee\AOLSoftware.exe" [2007-10-08 41824]
"VX3000 "= "c:\windows\vVX3000.exe" [2006-12-05 707360]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-02-05 98304]
"Lexmark X6100 Series "= "c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-05-16 57344]
"SiSUSBRG "= "c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiS Windows KeyHook "= "c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"AOLDialer "= "c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-10 136600]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SoundMan "= "SOUNDMAN.EXE" [2004-02-26 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert "= "c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]
"AdobeUpdater "= "c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\documents and settings\ted\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2007-04-12 42032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-02-05 335872]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0daila

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-02-05 18:09 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe "=
"c:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\aolsoftware.exe "=
"c:\\Program Files\\AOL 9.1\\waol.exe "=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\AOLDesktop.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP "= 67:UDPHCP Discovery Service

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-08-01 29239]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-07-06 188416]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-06-01 64000]
R4 Winferno Subscription Service;Winferno Subscription Service;c:\program files\Common Files\Winferno\WSS\WSS.exe [2008-02-25 126976]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2002-11-14 18:31]

2009-01-09 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2002-08-29 20:30]

2009-01-10 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2007-09-18 23:55]

2009-01-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]

2009-01-10 c:\windows\Tasks\WSSHelper.job
- c:\program files\Common Files\Winferno\WSS\WSSHelper.exe [2007-07-26 12:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mapquest.com
uInternet Settings,ProxyOverride = localhost
FF - ProfilePath - c:\documents and settings\ted\Application Data\Mozilla\Firefox\Profiles\ks0ev2j3.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 05:54:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-10 5:56:36
ComboFix-quarantined-files.txt 2009-01-10 10:56:21
ComboFix2.txt 2009-01-09 10:35:58
ComboFix3.txt 2009-01-06 12:30:06
ComboFix4.txt 2008-08-09 05:10:26

Pre-Run: 46,070,349,824 bytes free
Post-Run: 46,067,830,784 bytes free

261 --- E O F --- 2008-12-18 08:00:57

noahdfear · 2009/01/10

Looking good! How's the computer running now?

Please post the contents of C:\Qoobox\ComboFix-quarantined-files.txt

deester · 2009/01/11

I am not sure I know where to find this, This is the step I thought I was missing. I got a virus message when I downloaded Combofix, that's the only virus message I've seen lately.
Thanks for your help.

noahdfear · 2009/01/11

Some of the files embedded in ComboFix are detected by some antivirus apps due to their abilities. ComboFix is infection free.

Open My Computer>Local Disk C:>Qoobox and the ComboFix-quarantined-files.txt should be there.

deester · 2009/01/12

Hope this is what you want.
http://www.windowsbbs.com/malware-virus-removal/80204-active-desktop-infected.html#post436950

Collect::[22]
c:\windows\system32\BUBHE6PH.exe
Suspect::[22]
c:\windows\{907E937B-59BD-46EB-8C00-170EA0FF8DE4}.dat
c:\windows\{BE0F15FE-3B90-4612-95E9-E497C6D4CEB1}.dat
c:\windows\system32\{809E1F85-AA19-4CE1-A8FA-0A36AE60E149}.dat
c:\windows\system32\{F8D91BE1-CE2B-45BE-A911-032EFD33BE03}.dat
Driver::
FXDRV
File::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\Microsoft_Hardware_Launch_setup_exe.job
DDS::
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
IE: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZR

Log in or Sign up

Inactive [InActive] Desktop Infected

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

Share This Page

Log in or Sign up

Inactive [InActive] Desktop Infected

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

noahdfear Inactive

deester Inactive Alumni Thread Starter

Share This Page

Useful Searches