1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved svchost.exe - Application Error always pops up in my PC

Discussion in 'Malware and Virus Removal Archive' started by nerimaru, 2009/07/30.

Page 1 of 2
  1. 2009/07/30
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    [Resolved] svchost.exe - Application Error always pops up in my PC

    Hello. Good day to you all.

    I have this problem with my PC. hours after I boot my PC, a error message box pops out in my window with the following message:

    svchost.exe - Application Error
    The instruction at "0x0123f496" referenced memory at "0x0134f496 ". The memory could not be "written ".
    Click on OK to terminate the program
    Click on CANCEL to debug the program

    Given that i click both button, my PC wont work properly. I have found in my personal research that svchost.exe is like the manager of the services/programs for my PC to run normally. So after i see this error message, i would restart my PC.

    If this error message won't appear for some time, i get another error message with the following message:

    Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

    I have read a post in this site about this kind of message but i guess we have a different cause. What i would do when i receive this error message is that i would restart my PC.

    Additionally, i have a symantec antivirus and the antivirus always scans multiple w32.downadup.b. Some are cleaned and deleted and some I manully delete. I guess this is a worm and i'm thinking that this might be the cause of these problems.

    I used. w32.downadup.b remover (ex. D.exe) but it did'nt help.

    Thank you for your help and your generousity. I appreciate it so much.

    The following are the logs that i got by running the DDS software
    DDS.txt
    DDS (Ver_09-07-30.01) - NTFSx86
    Run by reilabares at 10:23:24.79 on 07/31/2009 Fri
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
    Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1014.172 [GMT 8:00]

    AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Thunderbird-Tray\TBTray.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Program Files\SoapBox\SoapBox.exe
    C:\Program Files\stickies\stickies.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\WordWeb\wweb32.exe
    D:\Program Files\RedGate.Profiler.IISService.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\Program Files\OCS Inventory Agent\ocsservice.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\My Documents\Downloads\dds.scr
    C:\WINDOWS\system32\conime.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyServer = ftp=proxy:3128;gopher=proxy:3128;http=proxy:3128;https=proxy:3128;socks=proxy:3128
    uInternet Settings,ProxyOverride = ;localhost;<local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: ATLAS Translation Bar: {3c6301ed-0f78-4af2-8150-d9c052361a8e} - c:\program files\atlas v12\ATLIECP.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: ATLAS Translation Bar: {3c6301ed-0f78-4af2-8150-d9c052361a8e} - c:\program files\atlas v12\ATLIECP.DLL
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
    uRun: [I&F Viewer toolbar] "c:\program files\photo toolkit\ivbar\phototoolkitmem.exe" -start
    uRun: [Spark] c:\program files\spark\Spark.exe
    uRun: [WinUpdater] "c:\program files\winupdater\update.exe" /background
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
    mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
    mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
    mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [SigmatelSysTrayApp] sttray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    StartupFolder: c:\docume~1\reilab~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
    StartupFolder: c:\docume~1\reilab~1\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\rein labares\my documents\installers2\ipmsg\ipmsg.exe
    StartupFolder: c:\docume~1\reilab~1\startm~1\programs\startup\shortc~2.lnk - c:\documents and settings\rein labares\my documents\installers2\ipmsg\ipmsg.exe
    StartupFolder: c:\docume~1\reilab~1\startm~1\programs\startup\soapbox.lnk - c:\program files\soapbox\SoapBox.exe
    StartupFolder: c:\docume~1\reilab~1\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
    StartupFolder: c:\docume~1\reilab~1\startm~1\programs\startup\tb-tray.lnk - c:\program files\thunderbird-tray\TBTray.exe
    StartupFolder: c:\docume~1\reilab~1\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\privoxy\privoxy.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tb-tray.lnk - c:\program files\thunderbird-tray\TBTray.exe
    uPolicies-explorer: HideClock = 0 (0x0)
    mPolicies-explorer: CZ_RESTRICTEDUSER = 1 (0x1)
    mPolicies-explorer: HideClock = 0 (0x0)
    IE: &Save Flash In This Page by Flash Saver - c:\progra~1\flashs~1\save.htm
    IE: &Translate with ATLAS - c:\program files\atlas v12\Atlscript.html
    IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {09EA1F80-F40A-11D1-B792-444553540001} - c:\progra~1\flashs~1\save.htm
    IE: {B7707A72-4355-11D4-82BD-00000EBBEF8D} - c:\program files\atlas v12\Atlscript.html
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Notify: igfxcui - igfxdev.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\reilab~1\applic~1\mozilla\firefox\profiles\c4qqmu8s.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    FF - prefs.js: browser.startup.homepage - hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    FF - prefs.js: browser.startup.homepage - hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    FF - prefs.js: network.proxy.ftp - proxy
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - proxy
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - proxy
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - proxy
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - proxy
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\documents and settings\reilabares\application data\mozilla\firefox\profiles\c4qqmu8s.default\extensions\{a2049def-a235-488f-878c-b41f8071fa9c}\components\BossKey.dll
    FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
    FF - plugin: c:\program files\opera 9\program\plugins\npdsplay.dll
    FF - plugin: c:\program files\opera 9\program\plugins\NPSWF32.dll
    FF - plugin: c:\program files\opera 9\program\plugins\npwmsdrm.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============

    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
    R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
    R2 ANTS Memory Profiler 4 Service;ANTS Memory Profiler 4 Service;d:\program files\memory\RedGate.Profiler.IISProfileHost.exe [2008-11-19 20480]
    R2 ANTS Performance Profiler 4 Service;ANTS Performance Profiler 4 Service;d:\program files\RedGate.Profiler.IISService.exe [2009-4-29 8704]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-7 34064]
    R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\ocs inventory agent\OcsService.exe [2008-4-21 69632]
    R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090729.005\naveng.sys [2009-7-30 87888]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090729.005\navex15.sys [2009-7-30 875728]
    S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
    S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

    =============== Created Last 30 ================

    2009-07-20 21:14 <DIR> --d----- C:\anime
    2009-07-08 08:17 344,064 -c------ c:\windows\system32\dllcache\localspl.dll

    ==================== Find3M ====================

    2009-06-16 22:55 82,432 a------- c:\windows\system32\fontsub.dll
    2009-06-16 20:25 119,808 a------- c:\windows\system32\t2embed.dll
    2009-06-04 03:27 1,290,752 a------- c:\windows\system32\quartz.dll
    2009-05-13 20:11 16,268 a------- c:\windows\desctemp.dat
    2009-05-07 23:44 344,064 a------- c:\windows\system32\localspl.dll
    2007-03-27 13:15 79,672 ac------ c:\docume~1\reilab~1\applic~1\GDIPFONTCACHEV1.DAT
    2005-05-13 17:12 217,073 ac-shr-- c:\windows\meta4.exe
    2005-10-24 11:13 66,560 ac-shr-- c:\windows\MOTA113.exe
    2005-10-13 21:27 422,400 ac-shr-- c:\windows\x2.64.exe
    2005-10-07 19:14 308,224 a--shr-- c:\windows\system32\avisynth.dll
    2005-07-14 12:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
    2005-06-26 15:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
    2005-06-21 22:37 45,568 a--shr-- c:\windows\system32\cygz.dll
    2004-01-25 00:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
    2005-02-28 13:16 240,128 ac-shr-- c:\windows\system32\x.264.exe
    2004-01-25 00:00 217,088 a--shr-- c:\windows\system32\yv12vfw.dll

    ============= FINISH: 10:24:12.90 ===============

    Attach.txt
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-07-30.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/7/2006 2:01:02 PM
    System Uptime: 7/31/2009 9:41:03 AM (1 hours ago)

    Motherboard: Intel Corporation | | D945GTP
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | | 3000/200mhz
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | | 3000/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 39 GiB total, 3.661 GiB free.
    D: is FIXED (NTFS) - 35 GiB total, 2.519 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Bluetooth PAN Network Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: IVT Corporation
    Name: Bluetooth PAN Network Adapter
    PNP Device ID: ROOT\NET\0000
    Service: BT

    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: rein
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: rein
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    2007 Microsoft Office Suite Service Pack 1 (SP1)
    7-Zip 4.23
    ActiveState Komodo Edit 4.2.0
    Adobe Acrobat 5.0
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 9 ActiveX
    Adobe Reader 7.0
    Adobe Shockwave Player
    AndreaMosaic 3.22
    ANTS Profiler 4
    Apple Mobile Device Support
    Apple Software Update
    ATLAS Translation Double Pack V12.0
    Audacity 1.3.5 (Unicode)
    AVALON BB Tool
    Belarc Advisor 7.2
    BiblePro
    BlueSoleil
    CamStudio
    Critical Update for Windows Media Player 11 (KB959772)
    Dev-C++ 5 beta 9 release (4.9.9.2)
    DivX Web Player
    Ethereal 0.10.7
    Exodus Jabber Client (remove only)
    FileZilla (remove only)
    FinePrint
    Flash Saver
    FLV Player 2.0, build 24
    Foxit Reader
    Free Music Zilla
    FX Document Centre 235 PCL 6
    FX Document Centre 405 PCL 6
    GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)
    GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109)
    Google Chrome
    High Definition Audio Driver Package - KB835221
    HokaTools
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB928388)
    Hotfix for Windows XP (KB929120)
    Hotfix for Windows XP (KB952287)
    IDAutomation.com Code 39 Free Font
    Intel Audio Studio 2.0
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    iTunes
    Java 2 Runtime Environment Standard Edition v1.3.1_18
    Java(TM) 6 Update 11
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    Jude take 1.3
    K-Lite Mega Codec Pack 2.1.0
    LiveUpdate 2.6 (Symantec Corporation)
    Logitech Desktop Messenger
    Logitech iTouch Software
    Magic ISO Maker v5.2 (build 0191)
    Microsoft .NET Compact Framework 1.0 SP3 Developer
    Microsoft .NET Compact Framework 2.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Language Pack - JPN
    Microsoft .NET Framework 2.0 Service Pack 1
    Microsoft .NET Framework 2.0 日本語 Language Pack
    Microsoft .NET Framework 3.0 Service Pack 1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Device Emulator version 1.0 - ENU
    Microsoft Document Explorer 2005
    Microsoft FrontPage Client - English
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Standard Edition 2003
    Microsoft Office Visio 2007 Service Pack 1 (SP1)
    Microsoft Office Visio MUI (English) 2007
    Microsoft Office Visio Professional 2007
    Microsoft Office Visio Viewer 2003 (English)
    Microsoft Office XP Media Content
    Microsoft PowerPoint Viewer 97
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
    Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft User-Mode Driver Framework Feature Pack 1.5
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual J# .NET Redistributable Package 1.1
    Microsoft Visual J# 2.0 Redistributable Package
    Microsoft Visual SourceSafe 6.0
    Microsoft Visual Studio .NET Enterprise Architect 2003 - English
    Microsoft Visual Studio 2005 Professional Edition - ENU
    Mozilla Firefox (3.0.4)
    Mozilla Thunderbird (2.0.0.4)
    MSDN Library for Visual Studio 2005
    MSVC80_x86
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB933579)
    NetworkActiv PIAFCTM 2.2
    Nokia Connectivity Cable Driver
    Nokia PC Suite
    Notepad++
    OCS Inventory Agent 4.0.4.8
    OpenOffice.org 2.0
    Opera 9.61
    PC Connectivity Solution
    ProgressManager Ver2.2
    QuickTime
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for Microsoft Office Visio 2007 (KB957831)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944338)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB947864)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB973346)
    SigmaTel Audio
    SoapBox
    SoundTap Uninstall
    Stickies 5.2b
    StopWatch ( Remove only)
    SUPER c Version 2006.19 (FIX)
    Switch
    Symantec AntiVirus
    Thunderbird-Tray
    TortoiseCVS 1.8.30
    UltraEdit-32 Uninstall
    Update for 2007 Microsoft Office System (KB967642)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908521)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB916846)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB925876)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB967715)
    VideoLAN VLC media player 0.8.5
    Virtual Desktop Manager Powertoy for Windows XP
    Visual Studio .NET Enterprise Architect 2003 - English
    Visual Studio.NET Baseline - English
    VNC Free Edition 4.1.1
    Volume Logic Plug-in for Windows Media Player (remove only)
    WebFldrs XP
    Windows Driver Package - Nokia Modem (02/23/2009 7.01.0.2)
    Windows Driver Package - Nokia Modem (02/24/2009 4.0)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2
    WinMerge 2.2.2.0
    WinPcap 4.0.2
    WinRAR archiver
    Wireshark 1.0.2
    WordWeb
    XAMPP 1.5.5
    Xming 6.9.0.24
    XML Paper Specification Shared Components Pack 1.0
    送受信シミュレータ Me2

    ==== Event Viewer Messages From Past Week ========

    7/30/2009 3:03:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ServiceLayer service to connect.
    7/30/2009 3:03:52 PM, error: Service Control Manager [7000] - The ServiceLayer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    7/30/2009 3:03:46 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service ServiceLayer with arguments " " in order to run the server: {ACF50018-41F8-476D-85FD-CD953DAE4A49}
    7/30/2009 1:38:59 PM, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    7/28/2009 10:21:50 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apache2 service to connect.
    7/28/2009 10:21:50 AM, error: Service Control Manager [7000] - The Apache2 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    7/28/2009 1:43:27 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 960 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    7/27/2009 9:58:26 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    7/27/2009 5:43:27 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    7/24/2009 7:37:23 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    7/24/2009 5:37:22 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    7/24/2009 4:37:22 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    7/24/2009 4:07:22 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

    ==== End Of File ===========================
     
    nerimaru,
    #1
  2. 2009/07/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/07/31
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    Hello broni. Sorry for the delayed response.

    I've already run the combofix.exe and the following is the log.

    By the way, i haven't found any Hijackthis log file. Maybe I have misunderstood your statement. :)

    Thank you so much for your prompt reply and help.

    ComboFix 09-07-29.04 - reilabares 1/2009 Fri 13:32.1.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1014.333 [GMT 8:00]
    Running from: c:\documents and settings\reilabares\My Documents\Downloads\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\REILAB~1\LOCALS~1\Temp\IadHide4.dll
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\reilabares\Local Settings\Temp\IadHide4.dll
    c:\recycler\S-1-5-21-1482476501-1060284298-1343024091-1007
    c:\windows\system32\_000008_.tmp.dll
    c:\windows\system32\setup.exe.tmp

    ----- BITS: Possible infected sites -----

    hxxp://updates
    .
    ((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
    .

    2009-07-31 05:48 . 2009-07-31 05:49 -------- d-----w- c:\documents and settings\TEMP
    2009-07-31 05:48 . 2009-07-31 05:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.dll
    2009-07-31 05:48 . 2009-07-31 05:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.dll
    2009-07-31 05:48 . 2009-07-31 05:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll
    2009-07-20 13:14 . 2009-07-27 02:29 -------- d-----w- C:\anime
    2009-07-08 00:17 . 2009-05-07 15:44 344064 -c----w- c:\windows\system32\dllcache\localspl.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-07-31 06:00 . 2006-12-08 08:48 -------- d-----w- c:\program files\Symantec AntiVirus
    2009-07-31 05:55 . 2008-06-09 15:06 -------- d-----w- c:\program files\OCS Inventory Agent
    2009-07-31 03:19 . 2007-05-16 06:27 -------- d-----w- c:\documents and settings\reilabares\Application Data\OpenOffice.org2
    2009-07-30 15:40 . 2009-06-05 02:15 -------- d-----w- c:\program files\送受信シュミレータ Me2
    2009-07-08 00:22 . 2008-07-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-06-17 06:29 . 2006-12-21 06:14 -------- d-----w- c:\program files\IDAutomation.com Code 39 Free Font
    2009-06-17 06:29 . 2008-07-06 18:22 -------- d-----w- c:\program files\HTML Help Workshop
    2009-06-17 06:29 . 2006-12-21 02:13 -------- d-----w- c:\program files\icons
    2009-06-17 06:29 . 2008-07-16 15:21 -------- d-----w- c:\program files\HokaTools
    2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-16 12:25 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-16 07:14 . 2008-05-20 22:42 -------- d-----w- c:\documents and settings\reilabares\Application Data\PC Suite
    2009-06-16 07:14 . 2009-06-16 07:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
    2009-06-16 07:14 . 2008-05-20 22:49 -------- d-----w- c:\documents and settings\reilabares\Application Data\Nokia
    2009-06-16 07:12 . 2009-06-16 07:12 -------- d-----w- c:\program files\Common Files\PCSuite
    2009-06-16 07:12 . 2009-06-16 07:12 -------- d-----w- c:\program files\Common Files\Nokia
    2009-06-16 07:12 . 2009-06-16 07:10 -------- d-----w- c:\program files\Nokia
    2009-06-16 07:11 . 2009-06-16 07:11 -------- d-----w- c:\program files\DIFX
    2009-06-16 07:11 . 2009-06-16 07:11 -------- d-----w- c:\program files\PC Connectivity Solution
    2009-06-16 07:10 . 2009-06-16 07:10 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Installer\CommonCustomActions\UninstCCD.exe
    2009-06-16 07:10 . 2009-06-16 07:10 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
    2009-06-16 07:10 . 2009-06-16 07:10 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Installer\CommonCustomActions\UninstPCS.exe
    2009-06-16 07:09 . 2009-06-16 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
    2009-06-10 17:39 . 2009-06-16 07:10 34515056 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Nokia_PC_Suite_7_1_26_1_tgl_web.exe
    2009-06-10 07:57 . 2009-06-10 07:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Fujitsu
    2009-06-03 19:27 . 2006-12-11 10:54 1290752 ----a-w- c:\windows\system32\quartz.dll
    2009-05-13 12:11 . 2009-05-13 12:09 16268 ----a-w- c:\windows\desctemp.dat
    2009-05-07 15:44 . 2003-03-31 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
    2008-11-16 14:07 . 2008-06-26 15:28 134656 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
    2006-05-06 16:42 . 2007-04-16 07:58 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
    2005-05-13 09:12 . 2005-05-13 09:12 217073 -csha-r- c:\windows\meta4.exe
    2005-10-24 03:13 . 2005-10-24 03:13 66560 -csha-r- c:\windows\MOTA113.exe
    2005-10-13 13:27 . 2005-10-13 13:27 422400 -csha-r- c:\windows\x2.64.exe
    2005-10-07 11:14 . 2005-10-07 11:14 308224 --sha-r- c:\windows\system32\avisynth.dll
    2005-07-14 04:31 . 2005-07-14 04:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
    2005-06-26 07:32 . 2005-06-26 07:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
    2005-06-21 14:37 . 2005-06-21 14:37 45568 --sha-r- c:\windows\system32\cygz.dll
    2004-01-24 16:00 . 2004-01-24 16:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
    2009-03-21 14:18 . 2003-03-31 12:00 168032 --sha-r- c:\windows\system32\kagkdjcs.dll
    2005-02-28 05:16 . 2005-02-28 05:16 240128 -csha-r- c:\windows\system32\x.264.exe
    2004-01-24 16:00 . 2004-01-24 16:00 217088 --sha-r- c:\windows\system32\yv12vfw.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "LDM "= "c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-01-24 16384]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck "= "c:\windows\system32\dumprep 0 -u" [X]
    "igfxtray "= "c:\windows\System32\igfxtray.exe" [2005-07-19 94208]
    "igfxhkcmd "= "c:\windows\System32\hkcmd.exe" [2005-07-19 77824]
    "igfxpers "= "c:\windows\System32\igfxpers.exe" [2005-07-19 114688]
    "IntelAudioStudio "= "c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-08-09 8597586]
    "ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
    "vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2002-08-29 208953]
    "MSPY2002 "= "c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
    "PHIME2002ASync "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
    "PHIME2002A "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
    "zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
    "FinePrint Dispatcher v5 "= "c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-04-06 499712]
    "QuickTime Task "= "c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-09-01 282624]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-11-09 136600]
    "BluetoothAuthenticationAgent "= "bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

    c:\documents and settings\Rein Labares\Start Menu\Programs\Startup\
    WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-12-8 44384]

    c:\documents and settings\reilabares\Start Menu\Programs\Startup\
    OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-9-23 61440]
    Shortcut (2) to ipmsg.lnk - c:\documents and settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe [2007-1-8 159232]
    Shortcut to ipmsg.exe.lnk - c:\documents and settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe [2007-1-8 159232]
    SoapBox.lnk - c:\program files\SoapBox\SoapBox.exe [2006-1-23 1017856]
    Stickies.lnk - c:\program files\stickies\stickies.exe [2006-3-29 348160]
    TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-9 38912]
    WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-12-8 44384]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-5-13 1183744]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-1-24 169472]
    Privoxy.lnk - c:\program files\Privoxy\privoxy.exe [2006-11-20 250368]
    TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-9 38912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "CZ_RESTRICTEDUSER "= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Documents and Settings\\Rein Labares\\My Documents\\Installers2\\IPMsg\\ipmsg.exe "=
    "c:\\Program Files\\SoapBox\\SoapBox.exe "=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe "=
    "c:\\Program Files\\stickies\\stickies.exe "=
    "c:\\Program Files\\xampp\\apache\\bin\\apache.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\FileZilla\\FileZilla.exe "=
    "c:\\Program Files\\Free Music Zilla\\FMZilla.exe "=
    "c:\\Documents and Settings\\reilabares\\My Documents\\Visual Studio 2005\\Projects\\SocketProg\\debug\\SocketProg.exe "=
    "c:\\Documents and Settings\\reilabares\\Desktop\\temp\\UDP Chat\\SGSserverUDP\\Server\\bin\\Debug\\Server.vshost.exe "=
    "c:\\Documents and Settings\\reilabares\\My Documents\\Visual Studio 2005\\Projects\\UDPServer\\debug\\UDPServer.exe "=
    "c:\\Documents and Settings\\reilabares\\Desktop\\temp\\UDP Chat\\SGSserverUDP\\Server\\bin\\Debug\\Server.exe "=
    "c:\program files\7-Zip\7zFMn.exe "= c:\program files\7-Zip\7zFMn.exe:172.28.61.44/255.255.255.255:Enabled:7-Zip File Manager
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.04.00\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.04.01\\release\\AVALONBBTool.exe "=
    "c:\\Program Files\\5NWP NCOS\\AVALON BB Tool\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.05.00\\release\\AVALONBBTool.exe "=
    "c:\\WINDOWS\\system32\\ftp.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.07.B0\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.08.B2\\release\\AVALONBBTool.exe "=
    "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
    "d:\\Project\\BB Debug Tool\\investigation\\117\\solution\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Simulator\\TrxSim\\DxTrxSim.exe "=
    "d:\\Project\\BB Debug Tool\\Simulator\\TrxSim\\DxTrxSim1.exe "=
    "c:\\Program Files\\送受信シュミレータ Me2\\TrxSim2.exe "=
    "d:\\Project\\BB Debug Tool\\Release 8\\Release 8 Over IT4\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Release 9 Regression BN\\debug\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Release 9 Regression BN_1\\debug\\AVALONBBTool.exe "=
    "c:\\Program Files\\‘??o?M?V?…?~???[?^ Me2\\TrxSim2.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "4277:TCP "= 4277:TCP:emwdaabm

    R2 ANTS Memory Profiler 4 Service;ANTS Memory Profiler 4 Service;d:\program files\Memory\RedGate.Profiler.IISProfileHost.exe [11/19/2008 5:02 PM 20480]
    R2 ANTS Performance Profiler 4 Service;ANTS Performance Profiler 4 Service;d:\program files\RedGate.Profiler.IISService.exe [4/29/2009 1:20 PM 8704]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/7/2007 4:22 AM 34064]
    R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [4/21/2008 8:03 PM 69632]
    S2 mipyfpouu;Time Task;c:\windows\system32\svchost.exe -k netsvcs [3/31/2003 8:00 PM 14336]
    S3 nxgrlfz;nxgrlfz;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MIPYFPOUU
    *Deregistered* - EraserUtilDrv10910
    *Deregistered* - EraserUtilRebootDrv

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    mipyfpouu
    .
    Contents of the 'Scheduled Tasks' folder

    2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 06:57]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SigmatelSysTrayApp - sttray.exe


    .
    ------- Supplementary Scan -------
    .
    IE: {{B7707A72-4355-11D4-82BD-00000EBBEF8D} - c:\program files\ATLAS V12\Atlscript.html
    FF - ProfilePath - c:\documents and settings\reilabares\Application Data\Mozilla\Firefox\Profiles\c4qqmu8s.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    FF - prefs.js: browser.startup.homepage - hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    FF - prefs.js: browser.startup.homepage - hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    FF - prefs.js: browser.startup.homepage - hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    FF - prefs.js: network.proxy.ftp - proxy
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - proxy
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - proxy
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - proxy
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - proxy
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\documents and settings\reilabares\Application Data\Mozilla\Firefox\Profiles\c4qqmu8s.default\extensions\{A2049DEF-A235-488f-878C-B41F8071FA9C}\components\BossKey.dll
    FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\npdsplay.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\NPSWF32.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\npwmsdrm.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-07-31 13:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nxgrlfz]
    "ImagePath "= "\??\c:\windows\system32\01.tmp "

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mipyfpouu]
    "ServiceDll "= "c:\windows\system32\kagkdjcs.dll "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3836)
    c:\program files\TortoiseCVS\TrtseShl.dll
    c:\program files\Logitech\iTouch\iTchHk.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll
    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_tgl.nlr
    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\xampp\apache\bin\apache.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\xampp\apache\bin\apache.exe
    c:\program files\xampp\mysql\bin\mysqld-nt.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\RealVNC\VNC4\winvnc4.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\conime.exe
    c:\windows\system32\rundll32.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Mozilla Thunderbird\thunderbird.exe
    .
    **************************************************************************
    .
    Completion time: 2009-07-31 14:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-07-31 06:05

    Pre-Run: 3,593,359,360 bytes free
    Post-Run: 3,727,261,696 bytes free

    264 --- E O F --- 2009-07-30 00:37
     
    nerimaru,
    #3
  5. 2009/07/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\kagkdjcs.dll
c:\windows\system32\01.tmp


Folder::

Driver::
nxgrlfz
mipyfpouu


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nxgrlfz]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mipyfpouu]

RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #4
  6. 2009/08/02
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    Hi Broni. I have already, done the scan using the Combofix.exe with CFScript.txt on it. After the scanning of Combofix.exe, I also scanned my PC using the HiJackThis scanner.

    Thank you so much for your help.


    The following are the logs.
    ============================
    ComboFix.txt

    ComboFix 09-07-29.04 - reilabares 3/2009 Mon 10:46.2.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1014.361 [GMT 8:00]
    Running from: c:\documents and settings\reilabares\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\reilabares\My Documents\Downloads\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    "c:\windows\system32\01.tmp "
    "c:\windows\system32\kagkdjcs.dll "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\REILAB~1\LOCALS~1\Temp\IadHide4.dll
    c:\documents and settings\reilabares\Local Settings\Temp\IadHide4.dll
    c:\windows\system32\kagkdjcs.dll
    c:\windows\TEMP\DWH5278.tmp
    c:\windows\TEMP\DWH52E5.tmp
    c:\windows\TEMP\DWH5353.tmp
    c:\windows\TEMP\DWH5585.tmp

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MIPYFPOUU
    -------\Service_mipyfpouu


    ((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
    .

    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP62.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP61.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP60.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP59.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP58.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP57.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP56.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP55.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP54.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP53.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP52.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP51.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP50.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP49.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP48.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP47.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP46.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP45.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP44.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP43.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP42.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP41.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP40.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP39.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP38.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP37.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP36.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP35.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP34.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP33.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP32.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP31.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP30.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP29.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP28.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP27.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP26.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP25.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP24.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP23.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP22.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP21.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP20.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP19.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP18.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP17.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP16.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP15.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP14.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP13.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP12.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP11.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP9.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP8.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP7.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP6.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP5.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP4.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP3.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP10.dll
    2009-07-31 05:48 . 2009-07-31 05:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.dll
    2009-07-31 05:48 . 2009-07-31 05:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.dll
    2009-07-31 05:48 . 2009-07-31 05:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll
    2009-07-20 13:14 . 2009-07-27 02:29 -------- d-----w- C:\anime
    2009-07-08 00:17 . 2009-05-07 15:44 344064 -c----w- c:\windows\system32\dllcache\localspl.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-03 03:11 . 2008-06-09 15:06 -------- d-----w- c:\program files\OCS Inventory Agent
    2009-08-03 03:04 . 2007-05-16 06:27 -------- d-----w- c:\documents and settings\reilabares\Application Data\OpenOffice.org2
    2009-08-03 03:02 . 2006-12-08 08:48 -------- d-----w- c:\program files\Symantec AntiVirus
    2009-07-30 15:40 . 2009-06-05 02:15 -------- d-----w- c:\program files\送受信シュミレータ Me2
    2009-07-08 00:22 . 2008-07-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-06-17 06:29 . 2006-12-21 06:14 -------- d-----w- c:\program files\IDAutomation.com Code 39 Free Font
    2009-06-17 06:29 . 2008-07-06 18:22 -------- d-----w- c:\program files\HTML Help Workshop
    2009-06-17 06:29 . 2006-12-21 02:13 -------- d-----w- c:\program files\icons
    2009-06-17 06:29 . 2008-07-16 15:21 -------- d-----w- c:\program files\HokaTools
    2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-16 12:25 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-16 07:14 . 2008-05-20 22:42 -------- d-----w- c:\documents and settings\reilabares\Application Data\PC Suite
    2009-06-16 07:14 . 2009-06-16 07:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
    2009-06-16 07:14 . 2008-05-20 22:49 -------- d-----w- c:\documents and settings\reilabares\Application Data\Nokia
    2009-06-16 07:12 . 2009-06-16 07:12 -------- d-----w- c:\program files\Common Files\PCSuite
    2009-06-16 07:12 . 2009-06-16 07:12 -------- d-----w- c:\program files\Common Files\Nokia
    2009-06-16 07:12 . 2009-06-16 07:10 -------- d-----w- c:\program files\Nokia
    2009-06-16 07:11 . 2009-06-16 07:11 -------- d-----w- c:\program files\DIFX
    2009-06-16 07:11 . 2009-06-16 07:11 -------- d-----w- c:\program files\PC Connectivity Solution
    2009-06-16 07:10 . 2009-06-16 07:10 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Installer\CommonCustomActions\UninstCCD.exe
    2009-06-16 07:10 . 2009-06-16 07:10 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
    2009-06-16 07:10 . 2009-06-16 07:10 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Installer\CommonCustomActions\UninstPCS.exe
    2009-06-16 07:09 . 2009-06-16 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
    2009-06-10 17:39 . 2009-06-16 07:10 34515056 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Nokia_PC_Suite_7_1_26_1_tgl_web.exe
    2009-06-10 07:57 . 2009-06-10 07:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Fujitsu
    2009-06-03 19:27 . 2006-12-11 10:54 1290752 ----a-w- c:\windows\system32\quartz.dll
    2009-05-13 12:11 . 2009-05-13 12:09 16268 ----a-w- c:\windows\desctemp.dat
    2009-05-07 15:44 . 2003-03-31 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
    2008-11-16 14:07 . 2008-06-26 15:28 134656 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
    2006-05-06 16:42 . 2007-04-16 07:58 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
    2005-05-13 09:12 . 2005-05-13 09:12 217073 -csha-r- c:\windows\meta4.exe
    2005-10-24 03:13 . 2005-10-24 03:13 66560 -csha-r- c:\windows\MOTA113.exe
    2005-10-13 13:27 . 2005-10-13 13:27 422400 -csha-r- c:\windows\x2.64.exe
    2005-10-07 11:14 . 2005-10-07 11:14 308224 --sha-r- c:\windows\system32\avisynth.dll
    2005-07-14 04:31 . 2005-07-14 04:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
    2005-06-26 07:32 . 2005-06-26 07:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
    2005-06-21 14:37 . 2005-06-21 14:37 45568 --sha-r- c:\windows\system32\cygz.dll
    2004-01-24 16:00 . 2004-01-24 16:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
    2005-02-28 05:16 . 2005-02-28 05:16 240128 -csha-r- c:\windows\system32\x.264.exe
    2004-01-24 16:00 . 2004-01-24 16:00 217088 --sha-r- c:\windows\system32\yv12vfw.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-07-31_05.49.37 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-08-03 03:01 . 2009-08-03 03:01 16384 c:\windows\Temp\Perflib_Perfdata_1e0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "LDM "= "c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-01-24 16384]
    "MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "PC Suite Tray "= "c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-05-18 1312256]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck "= "c:\windows\system32\dumprep 0 -u" [X]
    "igfxtray "= "c:\windows\System32\igfxtray.exe" [2005-07-19 94208]
    "igfxhkcmd "= "c:\windows\System32\hkcmd.exe" [2005-07-19 77824]
    "igfxpers "= "c:\windows\System32\igfxpers.exe" [2005-07-19 114688]
    "IntelAudioStudio "= "c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-08-09 8597586]
    "ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
    "vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2002-08-29 208953]
    "MSPY2002 "= "c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
    "PHIME2002ASync "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
    "PHIME2002A "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
    "zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
    "FinePrint Dispatcher v5 "= "c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-04-06 499712]
    "QuickTime Task "= "c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-09-01 282624]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-11-09 136600]
    "BluetoothAuthenticationAgent "= "bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

    c:\documents and settings\Rein Labares\Start Menu\Programs\Startup\
    WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-12-8 44384]

    c:\documents and settings\reilabares\Start Menu\Programs\Startup\
    OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-9-23 61440]
    Shortcut (2) to ipmsg.lnk - c:\documents and settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe [2007-1-8 159232]
    Shortcut to ipmsg.exe.lnk - c:\documents and settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe [2007-1-8 159232]
    SoapBox.lnk - c:\program files\SoapBox\SoapBox.exe [2006-1-23 1017856]
    Stickies.lnk - c:\program files\stickies\stickies.exe [2006-3-29 348160]
    TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-9 38912]
    WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-12-8 44384]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-5-13 1183744]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-1-24 169472]
    Privoxy.lnk - c:\program files\Privoxy\privoxy.exe [2006-11-20 250368]
    TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-9 38912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "CZ_RESTRICTEDUSER "= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Documents and Settings\\Rein Labares\\My Documents\\Installers2\\IPMsg\\ipmsg.exe "=
    "c:\\Program Files\\SoapBox\\SoapBox.exe "=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe "=
    "c:\\Program Files\\stickies\\stickies.exe "=
    "c:\\Program Files\\xampp\\apache\\bin\\apache.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\FileZilla\\FileZilla.exe "=
    "c:\\Program Files\\Free Music Zilla\\FMZilla.exe "=
    "c:\\Documents and Settings\\reilabares\\My Documents\\Visual Studio 2005\\Projects\\SocketProg\\debug\\SocketProg.exe "=
    "c:\\Documents and Settings\\reilabares\\Desktop\\temp\\UDP Chat\\SGSserverUDP\\Server\\bin\\Debug\\Server.vshost.exe "=
    "c:\\Documents and Settings\\reilabares\\My Documents\\Visual Studio 2005\\Projects\\UDPServer\\debug\\UDPServer.exe "=
    "c:\\Documents and Settings\\reilabares\\Desktop\\temp\\UDP Chat\\SGSserverUDP\\Server\\bin\\Debug\\Server.exe "=
    "c:\program files\7-Zip\7zFMn.exe "= c:\program files\7-Zip\7zFMn.exe:172.28.61.44/255.255.255.255:Enabled:7-Zip File Manager
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.04.00\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.04.01\\release\\AVALONBBTool.exe "=
    "c:\\Program Files\\5NWP NCOS\\AVALON BB Tool\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.05.00\\release\\AVALONBBTool.exe "=
    "c:\\WINDOWS\\system32\\ftp.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.07.B0\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.08.B2\\release\\AVALONBBTool.exe "=
    "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
    "d:\\Project\\BB Debug Tool\\investigation\\117\\solution\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Simulator\\TrxSim\\DxTrxSim.exe "=
    "d:\\Project\\BB Debug Tool\\Simulator\\TrxSim\\DxTrxSim1.exe "=
    "c:\\Program Files\\送受信シュミレータ Me2\\TrxSim2.exe "=
    "d:\\Project\\BB Debug Tool\\Release 8\\Release 8 Over IT4\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Release 9 Regression BN\\debug\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Release 9 Regression BN_1\\debug\\AVALONBBTool.exe "=
    "c:\\Program Files\\‘??o?M?V?…?~???[?^ Me2\\TrxSim2.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "4277:TCP "= 4277:TCP:emwdaabm

    R2 ANTS Memory Profiler 4 Service;ANTS Memory Profiler 4 Service;d:\program files\Memory\RedGate.Profiler.IISProfileHost.exe [11/19/2008 5:02 PM 20480]
    R2 ANTS Performance Profiler 4 Service;ANTS Performance Profiler 4 Service;d:\program files\RedGate.Profiler.IISService.exe [4/29/2009 1:20 PM 8704]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/7/2007 4:22 AM 34064]
    R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [4/21/2008 8:03 PM 69632]
    R3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [7/31/2009 4:28 PM 101936]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 06:57]
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-I&F Viewer toolbar - c:\program files\Photo Toolkit\ivbar\phototoolkitmem.exe
    HKCU-Run-Spark - c:\program files\Spark\Spark.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyServer = ftp=proxy:3128;gopher=proxy:3128;http=proxy:3128;https=proxy:3128;socks=proxy:3128
    uInternet Settings,ProxyOverride = ;localhost;<local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm
    IE: &Translate with ATLAS - c:\program files\ATLAS V12\Atlscript.html
    IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: {{B7707A72-4355-11D4-82BD-00000EBBEF8D} - c:\program files\ATLAS V12\Atlscript.html
    FF - ProfilePath - c:\documents and settings\reilabares\Application Data\Mozilla\Firefox\Profiles\c4qqmu8s.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.awesomehomepage.com/newsletter.php?list=positivethoughts
    FF - prefs.js: network.proxy.ftp - proxy
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - proxy
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - proxy
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - proxy
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - proxy
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\documents and settings\reilabares\Application Data\Mozilla\Firefox\Profiles\c4qqmu8s.default\extensions\{A2049DEF-A235-488f-878C-B41F8071FA9C}\components\BossKey.dll
    FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\npdsplay.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\NPSWF32.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\npwmsdrm.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-03 11:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1732)
    c:\program files\TortoiseCVS\TrtseShl.dll
    c:\program files\Logitech\iTouch\iTchHk.dll
    c:\windows\system32\msvdm.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\program files\iTunes\iTunesMiniPlayer.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\windows\System32\shdoclc.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll
    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_tgl.nlr
    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\xampp\apache\bin\apache.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\xampp\apache\bin\apache.exe
    c:\program files\xampp\mysql\bin\mysqld-nt.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\RealVNC\VNC4\winvnc4.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\windows\system32\conime.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    c:\program files\OpenOffice.org 2.0\program\soffice.exe
    c:\program files\OpenOffice.org 2.0\program\soffice.bin
    c:\program files\Mozilla Thunderbird\thunderbird.exe
    c:\program files\PC Connectivity Solution\ServiceLayer.exe
    c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
    c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-08-03 11:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-08-03 03:18

    Pre-Run: 3,744,505,856 bytes free
    Post-Run: 3,603,918,848 bytes free

    343 --- E O F --- 2009-07-30 00:37


    ==========================================================
    hijackthis.log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:22:11 AM, on 8/3/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    D:\Program Files\RedGate.Profiler.IISService.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\Program Files\OCS Inventory Agent\ocsservice.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Thunderbird-Tray\TBTray.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Program Files\SoapBox\SoapBox.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: Shortcut (2) to ipmsg.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: Shortcut to ipmsg.exe.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: SoapBox.lnk = ?
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BlueSoleil.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
    O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
    O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V12\Atlscript.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V12\Atlscript.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O23 - Service: ANTS Memory Profiler 4 Service - Red Gate Software Ltd - D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    O23 - Service: ANTS Performance Profiler 4 Service - Red Gate Software Ltd. - D:\Program Files\RedGate.Profiler.IISService.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 10064 bytes
     
    nerimaru,
    #5
  7. 2009/08/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!


    STEP 3.
    Post fresh HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #6
  8. 2009/08/03
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    Hi Broni.

    I have downloaded the SuperAntiSpyware and installed it in my PC. And then I downloaded the needed patch to update its program definition. But when I restarted my PC to start in safe mode, I cannot get pass through
    the login/welcome screen. I don't know, i guess I cannot run my PC in safe mode.

    I tapped F8 continuously then chose safe mode in the menu. After I saw the "safe mode" in all four corners, the screen displayed the login screen. When I clicked my username, my PC restarted again (this time it booted normally). So I pressed F8 again, but same thing happens. I cannot log in to my PC using the safe mode :confused:. I cannot continue to do the things that you have instructed me.

    Is there any way that I can scan my PC without running in safe mode?
    Is there any other way for me to run my PC in safe mode?

    I really appreciate your time and help.

    Thank you so much
     
    nerimaru,
    #7
  9. 2009/08/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes, please run all programs in Normal Mode then.
     
    broni,
    #8
  10. 2009/08/04
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    Hello Broni. At last I have done the things that you have instructed me :). Thank you so much for your patience.

    The following are the logs of the scans.

    Thank you so much.

    ============================
    Logs for SuperAntiSpyware Scanner

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 08/04/2009 at 05:08 PM

    Application Version : 4.27.1000

    Core Rules Database Version : 4027
    Trace Rules Database Version: 1967

    Scan type : Complete Scan
    Total Scan Time : 02:02:11

    Memory items scanned : 774
    Memory threats detected : 0
    Registry items scanned : 7662
    Registry threats detected : 0
    File items scanned : 32026
    File threats detected : 2

    Browser Hijacker.AwesomeHomepage
    C:\PROGRAM FILES\WINUPDATER\UPDATE.EXE

    Trojan.Agent/Gen-FSG
    D:\INSTALLERS\KUYA'S\SCRABBLE\KEYGEN.EXE

    =========================================
    Logs for Malware bytes Anti malware scans

    Malwarebytes' Anti-Malware 1.40
    Database version: 2551
    Windows 5.1.2600 Service Pack 2

    8/4/2009 10:41:12 PM
    mbam-log-2009-08-04 (22-41-12).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 359056
    Time elapsed: 2 hour(s), 34 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\WinUpdater (Adware.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\WinUpdater\Temp (Adware.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    D:\Installers\adobe audition 1.5\Adobe.Audition v1.5.KG.part1.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\Program Files\WinUpdater\Temp\license.txt (Adware.Agent) -> Quarantined and deleted successfully.


    ==================================================
    HiJackThis.log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:56:50 PM, on 8/4/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    D:\Program Files\RedGate.Profiler.IISService.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\Program Files\Thunderbird-Tray\TBTray.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Program Files\OCS Inventory Agent\ocsservice.exe
    C:\Program Files\SoapBox\SoapBox.exe
    C:\Program Files\stickies\stickies.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: Shortcut (2) to ipmsg.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: Shortcut to ipmsg.exe.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: SoapBox.lnk = ?
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BlueSoleil.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
    O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
    O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V12\Atlscript.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V12\Atlscript.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ANTS Memory Profiler 4 Service - Red Gate Software Ltd - D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    O23 - Service: ANTS Performance Profiler 4 Service - Red Gate Software Ltd. - D:\Program Files\RedGate.Profiler.IISService.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 11218 bytes
     
    nerimaru,
    #9
  11. 2009/08/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ==================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O4 - Startup: SoapBox.lnk = ?
    - O4 - Global Startup: BlueSoleil.lnk = ?


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    - O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    - O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    - O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    - O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    - O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    - O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
    broni,
    #10
  12. 2009/08/05
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    Hi broni. Good day to you. I have updated my JRE and have scanned my PC with HiJackThis again. The following are the logs.

    By the way, the first log is generated when I pressed the "Do a system scan and save a logfile" button. The second logfile is the log generated when i pressed the scan button after the first log file is generated.

    Thank you so much for the help.

    The following are the logs files:

    =======================================
    first HiJackThis log file

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:44:18 PM, on 8/5/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    D:\Program Files\RedGate.Profiler.IISService.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\Program Files\OCS Inventory Agent\ocsservice.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
    C:\Program Files\Thunderbird-Tray\TBTray.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Program Files\stickies\stickies.exe
    C:\Program Files\Thunderbird-Tray\TBTray.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: Shortcut (2) to ipmsg.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: Shortcut to ipmsg.exe.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
    O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
    O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V12\Atlscript.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V12\Atlscript.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O23 - Service: ANTS Memory Profiler 4 Service - Red Gate Software Ltd - D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    O23 - Service: ANTS Performance Profiler 4 Service - Red Gate Software Ltd. - D:\Program Files\RedGate.Profiler.IISService.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 8822 bytes


    =======================================
    second HiJackThis log file

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:45:15 PM, on 8/5/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    D:\Program Files\RedGate.Profiler.IISService.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\Program Files\OCS Inventory Agent\ocsservice.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
    C:\Program Files\Thunderbird-Tray\TBTray.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Program Files\stickies\stickies.exe
    C:\Program Files\Thunderbird-Tray\TBTray.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: Shortcut (2) to ipmsg.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: Shortcut to ipmsg.exe.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
    O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
    O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V12\Atlscript.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V12\Atlscript.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
    O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
    O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
    O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
    O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
    O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
    O18 - Protocol: msdaipp - (no CLSID) - (no file)
    O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
    O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
    O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
    O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}
    O23 - Service: ANTS Memory Profiler 4 Service - Red Gate Software Ltd - D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    O23 - Service: ANTS Performance Profiler 4 Service - Red Gate Software Ltd. - D:\Program Files\RedGate.Profiler.IISService.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 11154 bytes
     
    nerimaru,
    #11
  13. 2009/08/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You forgot to "fix" this one:
    - O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    Please, do so, and when done....


    Your computer is clean :)
    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #12
  14. 2009/08/05
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    Hello Broni, thank you so much for the help. I guess the fix went well. I'll just inform you if the same problem or another problem occurs. I'm very happy that this problem is fixed. :)

    May I know what went wrong? I'm not just curious but I want to learn, especially about PC security :) (recommended sites for reference and studies). There was a time when my gmail account was locked down, made me think that there must be a malware in my PC.

    I am truly grateful for the help.
     
    nerimaru,
    #13
  15. 2009/08/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Well, your computer was seriously infected, we cleaned it, and I'm glad things are back to normal :)
     
    broni,
    #14
  16. 2009/08/06
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    Wow, amazing. :)

    By the way, my Symantec antivirus always detects W32.Downadup.B. Is this normal? In addition, this creates random named folders (ex. 6PY0REIT, GH0J230N, etc.) in the C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5. So when this happens I just manually delete them.

    Is there a way to stop this? hehehe :)

    Thank you so much.
     
    nerimaru,
    #15
  17. 2009/08/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hmmm....let's double check....

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.
     
    broni,
    #16
  18. 2009/08/10
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    Hi Broni. It's been a while since i've logged in to this site.

    I have installed the Dr. Web CureIT scanner and had my PC scanned by it.
    The express scan was successful. But the complete scan failed. The following
    is the error message: "3cm2z.exe has encountered a problem and needs to close. We are sorry for the inconvenience. "
     
    nerimaru,
    #17
  19. 2009/08/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #18
  20. 2009/08/11
    nerimaru

    nerimaru Inactive Thread Starter

    Joined:
    2009/07/29
    Messages:
    12
    Likes Received:
    0
    Hi broni. the following are the combofix log and hiJackThis log.

    COMBOFIX log
    ComboFix 09-08-10.01 - reilabares 1/2009 Tue 10:48.3.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1014.392 [GMT 8:00]
    Running from: c:\documents and settings\reilabares\My Documents\Downloads\ComboFix\02\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
    .

    2009-08-07 02:42 . 2009-08-07 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2009-08-07 02:42 . 2009-08-07 02:42 -------- d-----w- c:\program files\NOS
    2009-08-07 02:40 . 2009-08-07 02:40 -------- d-----w- c:\documents and settings\reilabares\Application Data\GrabPro
    2009-08-07 02:32 . 2009-08-10 09:52 -------- d-----w- c:\program files\Orbitdownloader
    2009-08-07 02:32 . 2009-08-07 02:47 -------- d-----w- c:\documents and settings\reilabares\Application Data\Orbit
    2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\program files\Xilisoft
    2009-08-06 06:22 . 2009-08-06 07:23 -------- d-----w- c:\documents and settings\reilabares\DoctorWeb
    2009-08-05 06:34 . 2009-08-05 06:34 -------- d-----w- c:\program files\Java
    2009-08-04 09:43 . 2009-08-04 09:43 -------- d-----w- c:\documents and settings\reilabares\Application Data\Malwarebytes
    2009-08-04 09:43 . 2009-08-03 05:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-04 09:43 . 2009-08-04 09:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-04 09:43 . 2009-08-04 09:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-08-04 09:43 . 2009-08-03 05:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-08-03 18:05 . 2009-08-04 09:36 117760 ----a-w- c:\documents and settings\reilabares\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-08-03 18:04 . 2009-08-03 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-08-03 18:04 . 2009-08-03 18:04 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-08-03 18:04 . 2009-08-03 18:04 -------- d-----w- c:\documents and settings\reilabares\Application Data\SUPERAntiSpyware.com
    2009-08-03 18:03 . 2009-08-03 18:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-08-03 03:21 . 2009-08-03 03:21 -------- d-----w- c:\program files\Trend Micro
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP62.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP61.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP60.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP59.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP58.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP57.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP56.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP55.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP54.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP53.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP52.dll
    2009-08-03 01:54 . 2009-08-03 01:54 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP51.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP50.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP49.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP48.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP47.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP46.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP45.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP44.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP43.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP42.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP41.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP40.dll
    2009-08-03 01:41 . 2009-08-03 01:41 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP39.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP38.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP37.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP36.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP35.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP34.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP33.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP32.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP31.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP30.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP29.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP28.dll
    2009-07-31 11:33 . 2009-07-31 11:33 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP27.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP26.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP25.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP24.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP23.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP22.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP21.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP20.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP19.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP18.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP17.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP16.dll
    2009-07-31 11:04 . 2009-07-31 11:04 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP15.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP14.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP13.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP12.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP11.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP9.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP8.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP7.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP6.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP5.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP4.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP3.dll
    2009-07-31 08:00 . 2009-07-31 08:00 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP10.dll
    2009-07-31 05:48 . 2009-07-31 05:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.dll
    2009-07-31 05:48 . 2009-07-31 05:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.dll
    2009-07-31 05:48 . 2009-07-31 05:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll
    2009-07-20 13:14 . 2009-08-06 17:20 -------- d-----w- C:\anime

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-11 02:42 . 2006-12-08 08:48 -------- d-----w- c:\program files\Symantec AntiVirus
    2009-08-11 02:29 . 2008-06-09 15:06 -------- d-----w- c:\program files\OCS Inventory Agent
    2009-08-11 02:08 . 2007-05-16 06:27 -------- d-----w- c:\documents and settings\reilabares\Application Data\OpenOffice.org2
    2009-08-10 06:48 . 2009-06-05 02:15 -------- d-----w- c:\program files\送受信シュミレータ Me2
    2009-08-07 02:31 . 2008-07-15 22:20 -------- d-----w- c:\program files\Free Music Zilla
    2009-08-05 06:34 . 2008-12-21 12:29 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-07-08 00:22 . 2008-07-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-06-17 06:29 . 2006-12-21 06:14 -------- d-----w- c:\program files\IDAutomation.com Code 39 Free Font
    2009-06-17 06:29 . 2008-07-06 18:22 -------- d-----w- c:\program files\HTML Help Workshop
    2009-06-17 06:29 . 2006-12-21 02:13 -------- d-----w- c:\program files\icons
    2009-06-17 06:29 . 2008-07-16 15:21 -------- d-----w- c:\program files\HokaTools
    2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-16 12:25 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-16 07:14 . 2008-05-20 22:42 -------- d-----w- c:\documents and settings\reilabares\Application Data\PC Suite
    2009-06-16 07:14 . 2009-06-16 07:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
    2009-06-16 07:14 . 2008-05-20 22:49 -------- d-----w- c:\documents and settings\reilabares\Application Data\Nokia
    2009-06-16 07:12 . 2009-06-16 07:12 -------- d-----w- c:\program files\Common Files\PCSuite
    2009-06-16 07:12 . 2009-06-16 07:12 -------- d-----w- c:\program files\Common Files\Nokia
    2009-06-16 07:12 . 2009-06-16 07:10 -------- d-----w- c:\program files\Nokia
    2009-06-16 07:11 . 2009-06-16 07:11 -------- d-----w- c:\program files\DIFX
    2009-06-16 07:11 . 2009-06-16 07:11 -------- d-----w- c:\program files\PC Connectivity Solution
    2009-06-16 07:10 . 2009-06-16 07:10 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Installer\CommonCustomActions\UninstCCD.exe
    2009-06-16 07:10 . 2009-06-16 07:10 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
    2009-06-16 07:10 . 2009-06-16 07:10 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Installer\CommonCustomActions\UninstPCS.exe
    2009-06-16 07:09 . 2009-06-16 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
    2009-06-10 17:39 . 2009-06-16 07:10 34515056 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{AC4E9457-107B-448F-AD89-605E122E8C59}\Nokia_PC_Suite_7_1_26_1_tgl_web.exe
    2009-06-03 19:27 . 2006-12-11 10:54 1290752 ----a-w- c:\windows\system32\quartz.dll
    2009-05-13 12:11 . 2009-05-13 12:09 16268 ----a-w- c:\windows\desctemp.dat
    2006-05-06 16:42 . 2007-04-16 07:58 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
    2005-05-13 09:12 . 2005-05-13 09:12 217073 -csha-r- c:\windows\meta4.exe
    2005-10-24 03:13 . 2005-10-24 03:13 66560 -csha-r- c:\windows\MOTA113.exe
    2005-10-13 13:27 . 2005-10-13 13:27 422400 -csha-r- c:\windows\x2.64.exe
    2005-10-07 11:14 . 2005-10-07 11:14 308224 --sha-r- c:\windows\system32\avisynth.dll
    2005-07-14 04:31 . 2005-07-14 04:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
    2005-06-26 07:32 . 2005-06-26 07:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
    2005-06-21 14:37 . 2005-06-21 14:37 45568 --sha-r- c:\windows\system32\cygz.dll
    2004-01-24 16:00 . 2004-01-24 16:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
    2005-02-28 05:16 . 2005-02-28 05:16 240128 -csha-r- c:\windows\system32\x.264.exe
    2004-01-24 16:00 . 2004-01-24 16:00 217088 --sha-r- c:\windows\system32\yv12vfw.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-07-31_05.49.37 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-08-07 02:48 . 2009-08-07 02:48 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
    + 2009-08-03 18:04 . 2009-08-03 18:04 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    + 2009-08-03 18:04 . 2009-08-03 18:04 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2008-10-16 06:07 . 2008-10-16 06:07 208744 c:\windows\system32\muweb.dll
    + 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
    + 2009-08-05 06:34 . 2009-08-05 06:34 149280 c:\windows\system32\javaws.exe
    + 2009-08-05 06:34 . 2009-08-05 06:34 145184 c:\windows\system32\javaw.exe
    + 2009-08-05 06:34 . 2009-08-05 06:34 145184 c:\windows\system32\java.exe
    + 2009-08-10 08:29 . 2009-08-10 08:29 358400 c:\windows\Installer\15e3632.msi
    + 2009-08-05 06:34 . 2009-08-05 06:34 1757696 c:\windows\Installer\1ebc54.msi
    + 2009-08-03 18:04 . 2009-08-03 18:04 1516544 c:\windows\Installer\125db1f.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PC Suite Tray "= "c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-05-18 1312256]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxhkcmd "= "c:\windows\System32\hkcmd.exe" [2005-07-19 77824]
    "IntelAudioStudio "= "c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-08-09 8597586]
    "ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
    "vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2002-08-29 208953]
    "MSPY2002 "= "c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
    "PHIME2002ASync "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
    "PHIME2002A "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
    "zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
    "FinePrint Dispatcher v5 "= "c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-04-06 499712]
    "QuickTime Task "= "c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-09-01 282624]
    "BluetoothAuthenticationAgent "= "bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

    c:\documents and settings\Rein Labares\Start Menu\Programs\Startup\
    WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-12-8 44384]

    c:\documents and settings\reilabares\Start Menu\Programs\Startup\
    OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-9-23 61440]
    Shortcut (2) to ipmsg.lnk - c:\documents and settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe [2007-1-8 159232]
    Shortcut to ipmsg.exe.lnk - c:\documents and settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe [2007-1-8 159232]
    Stickies.lnk - c:\program files\stickies\stickies.exe [2006-3-29 348160]
    TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-9 38912]
    WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-12-8 44384]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Privoxy.lnk - c:\program files\Privoxy\privoxy.exe [2006-11-20 250368]
    TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-9 38912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "CZ_RESTRICTEDUSER "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Documents and Settings\\Rein Labares\\My Documents\\Installers2\\IPMsg\\ipmsg.exe "=
    "c:\\Program Files\\SoapBox\\SoapBox.exe "=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe "=
    "c:\\Program Files\\stickies\\stickies.exe "=
    "c:\\Program Files\\xampp\\apache\\bin\\apache.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\FileZilla\\FileZilla.exe "=
    "c:\\Program Files\\Free Music Zilla\\FMZilla.exe "=
    "c:\\Documents and Settings\\reilabares\\My Documents\\Visual Studio 2005\\Projects\\SocketProg\\debug\\SocketProg.exe "=
    "c:\\Documents and Settings\\reilabares\\Desktop\\temp\\UDP Chat\\SGSserverUDP\\Server\\bin\\Debug\\Server.vshost.exe "=
    "c:\\Documents and Settings\\reilabares\\My Documents\\Visual Studio 2005\\Projects\\UDPServer\\debug\\UDPServer.exe "=
    "c:\\Documents and Settings\\reilabares\\Desktop\\temp\\UDP Chat\\SGSserverUDP\\Server\\bin\\Debug\\Server.exe "=
    "c:\program files\7-Zip\7zFMn.exe "= c:\program files\7-Zip\7zFMn.exe:172.28.61.44/255.255.255.255:Enabled:7-Zip File Manager
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.04.00\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.04.01\\release\\AVALONBBTool.exe "=
    "c:\\Program Files\\5NWP NCOS\\AVALON BB Tool\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.05.00\\release\\AVALONBBTool.exe "=
    "c:\\WINDOWS\\system32\\ftp.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.07.B0\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\NCOS Release\\vers1.08.B2\\release\\AVALONBBTool.exe "=
    "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
    "d:\\Project\\BB Debug Tool\\investigation\\117\\solution\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Simulator\\TrxSim\\DxTrxSim.exe "=
    "d:\\Project\\BB Debug Tool\\Simulator\\TrxSim\\DxTrxSim1.exe "=
    "c:\\Program Files\\送受信シュミレータ Me2\\TrxSim2.exe "=
    "d:\\Project\\BB Debug Tool\\Release 8\\Release 8 Over IT4\\release\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Release 9 Regression BN\\debug\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Release 9 Regression BN_1\\debug\\AVALONBBTool.exe "=
    "c:\\Program Files\\‘??o?M?V?…?~???[?^ Me2\\TrxSim2.exe "=
    "d:\\Project\\BB Debug Tool\\Release 9 Regression BP\\debug\\AVALONBBTool.exe "=
    "c:\\Program Files\\Orbitdownloader\\orbitdm.exe "=
    "c:\\Program Files\\Orbitdownloader\\orbitnet.exe "=
    "d:\\Project\\BB Debug Tool\\Release 9 Regression BQ\\debug\\AVALONBBTool.exe "=
    "d:\\Project\\BB Debug Tool\\Release 10 Regression 1\\BB Debug Tools\\debug\\AVALONBBTool.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "4277:TCP "= 4277:TCP:emwdaabm

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 72944]
    R2 ANTS Memory Profiler 4 Service;ANTS Memory Profiler 4 Service;d:\program files\Memory\RedGate.Profiler.IISProfileHost.exe [11/19/2008 5:02 PM 20480]
    R2 ANTS Performance Profiler 4 Service;ANTS Performance Profiler 4 Service;d:\program files\RedGate.Profiler.IISService.exe [4/29/2009 1:20 PM 8704]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/7/2007 4:22 AM 34064]
    R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [4/21/2008 8:03 PM 69632]
    S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [8/7/2009 10:42 AM 66056]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - EraserUtilDrv10910
    *Deregistered* - EraserUtilRebootDrv
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 06:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.orbitdownloader.com
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyServer = ftp=proxy:3128;gopher=proxy:3128;http=proxy:3128;https=proxy:3128;socks=proxy:3128
    uInternet Settings,ProxyOverride = ;localhost;<local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm
    IE: &Translate with ATLAS - c:\program files\ATLAS V12\Atlscript.html
    IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: {{B7707A72-4355-11D4-82BD-00000EBBEF8D} - c:\program files\ATLAS V12\Atlscript.html
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    FF - ProfilePath - c:\documents and settings\reilabares\Application Data\Mozilla\Firefox\Profiles\c4qqmu8s.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
    FF - prefs.js: network.proxy.ftp - proxy
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - proxy
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - proxy
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - proxy
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - proxy
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\documents and settings\reilabares\Application Data\Mozilla\Firefox\Profiles\c4qqmu8s.default\extensions\{A2049DEF-A235-488f-878C-B41F8071FA9C}\components\BossKey.dll
    FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\np_gp.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\npdsplay.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\NPSWF32.dll
    FF - plugin: c:\program files\Opera 9\program\plugins\npwmsdrm.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-11 10:56
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker3 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    Completion time: 2009-08-11 11:02
    ComboFix-quarantined-files.txt 2009-08-11 03:02

    Pre-Run: 5,672,681,472 bytes free
    Post-Run: 5,696,401,408 bytes free

    324 --- E O F --- 2009-07-30 00:37
    ====================================================


    HIJACKTHIS log
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:11:52 PM, on 8/11/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
    C:\WINDOWS\system32\rundll32.exe
    D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    C:\Program Files\Thunderbird-Tray\TBTray.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    C:\Program Files\stickies\stickies.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
    D:\Program Files\RedGate.Profiler.IISService.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\Program Files\OCS Inventory Agent\ocsservice.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SoapBox\SoapBox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Symantec AntiVirus\vpc32.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\reilabares\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
    O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: Shortcut (2) to ipmsg.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: Shortcut to ipmsg.exe.lnk = C:\Documents and Settings\Rein Labares\My Documents\Installers2\IPMsg\ipmsg.exe
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
    O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
    O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V12\Atlscript.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V12\Atlscript.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249623142921
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O23 - Service: ANTS Memory Profiler 4 Service - Red Gate Software Ltd - D:\Program Files\Memory\RedGate.Profiler.IISProfileHost.exe
    O23 - Service: ANTS Performance Profiler 4 Service - Red Gate Software Ltd. - D:\Program Files\RedGate.Profiler.IISService.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 11286 bytes
     
    nerimaru,
    #19
  21. 2009/08/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Combofix log shows nothing.

    Uninstall Combofix:
    Go Start > Run
    Type in:
    combofix /u
    Note the space between the "combofix" and the "/u "
    Restart computer.


    HJT log is clean.

    I have to assume, Norton's finding must be false positive.
     
    broni,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...