1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive [InActive] IE Redirect Malware

Discussion in 'Malware and Virus Removal Archive' started by jfadal, 2008/11/13.

  1. 2008/11/13
    jfadal

    jfadal Inactive Thread Starter

    Joined:
    2008/11/13
    Messages:
    5
    Likes Received:
    0
    Everytime I perform a search in Google the results have links associated that are completely unrelated. I have no idea how to resolve this. Reinstalling Java was unsucessful. Thank you.

    Logfile of random's system information tool 1.04 (written by random/random)
    Run by jessicaf at 2008-11-13 17:21:30
    Microsoft Windows XP Professional Service Pack 3
    System drive C: has 29 GB (41%) free of 71 GB
    Total RAM: 3328 MB (77% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:21:34 PM, on 11/13/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\WINDOWS\system32\PGPserv.exe
    C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
    C:\WINDOWS\system32\r_server.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe
    C:\WINDOWS\TEMP\RJDA1B.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\PDF Complete\pdfsty.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe
    C:\WINDOWS\system32\mmc.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Crystal Decisions\Crystal Reports 10\crw32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jessicaf\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\jessicaf.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wacointranet/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Brazos
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe "
    O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe "
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe "
    O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe "
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: PGPtray.exe.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.6.37:4343/officescan/console/html/ClientInstall/WinNTChk.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.6.37:4343/officescan/console/html/ClientInstall/setup.cab
    O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.6.37:4343/officescan/console/html/root/AtxEnc.cab
    O16 - DPF: {427BD09A-B354-4AF3-89CC-7EB3B315554B} (HWAUCtrl Class) - http://edmsdev:8080/bizflow/controls/hwau.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.6.37:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
    O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://brazosreports/crystalreportviewers10/ActiveXControls/PrintControl.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qliktech.webex.com/client/T25L/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BHESC.ORG
    O17 - HKLM\Software\..\Telephony: DomainName = BHESC.ORG
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D84D79DA-768F-44BD-B541-5574514EDE4E}: NameServer = 192.168.6.202,192.168.5.35
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BHESC.ORG
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BHESC.ORG
    O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files\QlikView\QvProtocol\qvp.dll
    O20 - AppInit_DLLs: PGPmapih.dll
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
    O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
    O23 - Service: Reflection Servers - WRQ, Inc. - C:\Program Files\Reflection\rninetd.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
    O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

    --
    End of file - 12253 bytes

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
    DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2005-02-25 118844]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-13 320920]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2006-02-14 1191424]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
    Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2005-09-23 231160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-13 34816]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
    JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-13 73728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2006-02-14 1191424]
    {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2005-09-23 231160]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-08-04 343112]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Smapp "=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [2003-05-05 143360]
    "DrvLsnr "=C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe [2003-05-08 69632]
    "nwiz "=nwiz.exe /installquiet []
    "NvCplDaemon "=C:\WINDOWS\system32\NvCpl.dll [2005-11-04 7204864]
    "dla "=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-02-25 127037]
    "ISUSPM Startup "=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
    "ISUSScheduler "=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
    "PDF Complete "=C:\Program Files\PDF Complete\pdfsty.exe [2005-03-06 276480]
    "Acrobat Assistant 7.0 "=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2006-01-12 483328]
    " "= []
    "Client Access Service "=C:\Program Files\IBM\Client Access\cwbsvstr.exe [2004-01-23 20530]
    "Client Access Help Update "=C:\Program Files\IBM\Client Access\cwbinhlp.exe [2004-01-23 24626]
    "Client Access Check Version "=C:\Program Files\IBM\Client Access\cwbckver.exe [2004-01-23 45106]
    "Client Access Express Welcome "=C:\Program Files\IBM\Client Access\cwbwlwiz.exe [2004-01-23 20480]
    "Client Access PC5250 Sound "=C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe [2004-01-23 40960]
    "OfficeScanNT Monitor "=C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [2007-12-11 710000]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-13 136600]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
    "ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
    "updateMgr "=C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe [2006-03-30 313472]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe
    PGPtray.exe.lnk - C:\WINDOWS\Installer\{882025A7-7599-4989-8FCD-7604FB90D6A9}\Icon6560581611.exe
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS "= "PGPmapih.dll "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "notification packages "=scecli
    PGPpwflt

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=1
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun "=145

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\WINDOWS\system32\mmc.exe "= "C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console "
    "C:\Program Files\BizFlow\bin\hwnmsg.exe "= "C:\Program Files\BizFlow\bin\hwnmsg.exe:*:Enabled:BizFlow Notification Receiver "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "
    "C:\Program Files\Ares\Ares.exe "= "C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows "

    ======List of files/folders created in the last 3 months======

    2008-11-13 17:21:30 ----D---- C:\rsit
    2008-11-13 14:47:18 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-11-13 14:47:18 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-11-13 14:47:18 ----A---- C:\WINDOWS\system32\java.exe
    2008-11-13 14:47:18 ----A---- C:\WINDOWS\system32\deploytk.dll
    2008-11-13 14:47:05 ----D---- C:\Program Files\Java
    2008-11-13 14:30:00 ----D---- C:\Program Files\UPHClean
    2008-11-13 13:25:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
    2008-11-13 13:25:45 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
    2008-11-13 11:25:40 ----A---- C:\WINDOWS\ntbtlog.txt
    2008-11-13 11:01:31 ----D---- C:\WINDOWS\Prefetch
    2008-11-13 09:08:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
    2008-11-13 09:08:47 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
    2008-11-13 09:08:38 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
    2008-11-13 09:08:26 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
    2008-11-13 09:08:17 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
    2008-11-13 09:08:06 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
    2008-11-13 09:07:57 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
    2008-11-13 09:07:47 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
    2008-11-13 09:07:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
    2008-11-13 09:07:29 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
    2008-11-13 09:07:22 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
    2008-11-13 09:07:14 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
    2008-11-13 09:07:06 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
    2008-11-13 09:06:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
    2008-11-13 09:06:47 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
    2008-11-13 09:06:40 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
    2008-11-13 09:06:31 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
    2008-11-13 09:06:23 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
    2008-11-13 09:02:23 ----D---- C:\WINDOWS\system32\scripting
    2008-11-13 09:02:23 ----D---- C:\WINDOWS\l2schemas
    2008-11-13 09:02:22 ----D---- C:\WINDOWS\system32\en
    2008-11-13 09:02:22 ----D---- C:\WINDOWS\system32\bits
    2008-11-13 08:59:04 ----D---- C:\WINDOWS\ServicePackFiles
    2008-11-13 08:53:53 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
    2008-11-13 03:00:53 ----HDC---- C:\WINDOWS\$NtUninstallKB957097_0$
    2008-11-13 03:00:44 ----HDC---- C:\WINDOWS\$NtUninstallKB955069_0$
    2008-11-12 12:03:40 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
    2008-11-06 11:10:15 ----A---- C:\logfile.txt
    2008-10-24 02:00:38 ----HDC---- C:\WINDOWS\$NtUninstallKB958644_0$
    2008-10-16 02:00:38 ----HDC---- C:\WINDOWS\$NtUninstallKB954211_0$
    2008-10-15 02:02:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956803_0$
    2008-10-15 02:02:07 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
    2008-10-15 02:02:00 ----HDC---- C:\WINDOWS\$NtUninstallKB957095_0$
    2008-10-15 02:01:26 ----HDC---- C:\WINDOWS\$NtUninstallKB956841_0$
    2008-09-30 16:43:34 ----A---- C:\WINDOWS\system32\msxml4.dll
    2008-09-12 09:36:38 ----D---- C:\Program Files\Microsoft Analysis Services
    2008-09-12 09:31:44 ----D---- C:\Program Files\Microsoft Visual Studio 8
    2008-09-12 09:31:44 ----D---- C:\Program Files\Common Files\Merge Modules
    2008-09-12 09:31:09 ----D---- C:\Program Files\SQLXML 4.0
    2008-09-12 00:10:28 ----N---- C:\WINDOWS\system32\wlanapi.dll
    2008-09-12 00:10:24 ----N---- C:\WINDOWS\system32\tspkg.dll
    2008-09-12 00:10:24 ----N---- C:\WINDOWS\system32\tsgqec.dll
    2008-09-12 00:10:21 ----N---- C:\WINDOWS\system32\spupdwxp.exe
    2008-09-12 00:10:21 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
    2008-09-12 00:10:20 ----N---- C:\WINDOWS\system32\slserv.exe
    2008-09-12 00:10:20 ----N---- C:\WINDOWS\system32\slrundll.exe
    2008-09-12 00:10:20 ----N---- C:\WINDOWS\system32\slgen.dll
    2008-09-12 00:10:20 ----N---- C:\WINDOWS\system32\slextspk.dll
    2008-09-12 00:10:20 ----N---- C:\WINDOWS\system32\slcoinst.dll
    2008-09-12 00:10:20 ----N---- C:\WINDOWS\slrundll.exe
    2008-09-12 00:10:19 ----N---- C:\WINDOWS\system32\setupn.exe
    2008-09-12 00:10:18 ----N---- C:\WINDOWS\system32\s3gnb.dll
    2008-09-12 00:10:17 ----N---- C:\WINDOWS\system32\rhttpaa.dll
    2008-09-12 00:10:17 ----N---- C:\WINDOWS\system32\rasqec.dll
    2008-09-12 00:10:17 ----N---- C:\WINDOWS\system32\qutil.dll
    2008-09-12 00:10:16 ----N---- C:\WINDOWS\system32\qcliprov.dll
    2008-09-12 00:10:16 ----N---- C:\WINDOWS\system32\qagentrt.dll
    2008-09-12 00:10:16 ----N---- C:\WINDOWS\system32\qagent.dll
    2008-09-12 00:10:15 ----N---- C:\WINDOWS\system32\onex.dll
    2008-09-12 00:10:12 ----N---- C:\WINDOWS\system32\napstat.exe
    2008-09-12 00:10:12 ----N---- C:\WINDOWS\system32\napmontr.dll
    2008-09-12 00:10:12 ----N---- C:\WINDOWS\system32\napipsec.dll
    2008-09-12 00:10:12 ----N---- C:\WINDOWS\system32\mtxparhd.dll
    2008-09-12 00:10:11 ----N---- C:\WINDOWS\system32\msshavmsg.dll
    2008-09-12 00:10:11 ----N---- C:\WINDOWS\system32\mssha.dll
    2008-09-12 00:10:06 ----N---- C:\WINDOWS\system32\mmcperf.exe
    2008-09-12 00:10:06 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
    2008-09-12 00:10:06 ----N---- C:\WINDOWS\system32\mmcex.dll
    2008-09-12 00:10:05 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
    2008-09-12 00:10:05 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
    2008-09-12 00:10:01 ----N---- C:\WINDOWS\system32\l2gpstore.dll
    2008-09-12 00:10:01 ----N---- C:\WINDOWS\system32\kmsvc.dll
    2008-09-12 00:10:01 ----N---- C:\WINDOWS\system32\kbdpash.dll
    2008-09-12 00:10:01 ----N---- C:\WINDOWS\system32\kbdnepr.dll
    2008-09-12 00:10:01 ----N---- C:\WINDOWS\system32\kbdiultn.dll
    2008-09-12 00:10:01 ----N---- C:\WINDOWS\system32\kbdbhc.dll
    2008-09-12 00:09:58 ----N---- C:\WINDOWS\system32\smtpapi.dll
    2008-09-12 00:09:58 ----N---- C:\WINDOWS\system32\rwnh.dll
    2008-09-12 00:09:57 ----N---- C:\WINDOWS\system32\comsdupd.exe
    2008-09-12 00:09:55 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
    2008-09-12 00:09:51 ----N---- C:\WINDOWS\system32\faxpatch.exe
    2008-09-12 00:09:51 ----A---- C:\WINDOWS\003081_.tmp
    2008-09-12 00:09:50 ----N---- C:\WINDOWS\system32\eapsvc.dll
    2008-09-12 00:09:50 ----N---- C:\WINDOWS\system32\eapqec.dll
    2008-09-12 00:09:50 ----N---- C:\WINDOWS\system32\eappprxy.dll
    2008-09-12 00:09:50 ----N---- C:\WINDOWS\system32\eapphost.dll
    2008-09-12 00:09:50 ----N---- C:\WINDOWS\system32\eappgnui.dll
    2008-09-12 00:09:50 ----N---- C:\WINDOWS\system32\eappcfg.dll
    2008-09-12 00:09:50 ----N---- C:\WINDOWS\system32\eapp3hst.dll
    2008-09-12 00:09:50 ----N---- C:\WINDOWS\system32\eapolqec.dll
    2008-09-12 00:09:49 ----N---- C:\WINDOWS\system32\dot3ui.dll
    2008-09-12 00:09:49 ----N---- C:\WINDOWS\system32\dot3svc.dll
    2008-09-12 00:09:49 ----N---- C:\WINDOWS\system32\dot3msm.dll
    2008-09-12 00:09:49 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
    2008-09-12 00:09:49 ----N---- C:\WINDOWS\system32\dot3dlg.dll
    2008-09-12 00:09:49 ----N---- C:\WINDOWS\system32\dot3cfg.dll
    2008-09-12 00:09:49 ----N---- C:\WINDOWS\system32\dot3api.dll
    2008-09-12 00:09:48 ----N---- C:\WINDOWS\system32\dimsroam.dll
    2008-09-12 00:09:48 ----N---- C:\WINDOWS\system32\dimsntfy.dll
    2008-09-12 00:09:48 ----N---- C:\WINDOWS\system32\dhcpqec.dll
    2008-09-12 00:09:46 ----N---- C:\WINDOWS\system32\credssp.dll
    2008-09-12 00:09:44 ----N---- C:\WINDOWS\system32\bitsprx4.dll
    2008-09-12 00:09:44 ----N---- C:\WINDOWS\system32\azroles.dll
    2008-09-12 00:09:43 ----N---- C:\WINDOWS\system32\ativvaxx.dll
    2008-09-12 00:09:43 ----N---- C:\WINDOWS\system32\ativtmxx.dll
    2008-09-12 00:09:43 ----N---- C:\WINDOWS\system32\ati3duag.dll
    2008-09-12 00:09:43 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
    2008-09-12 00:09:43 ----N---- C:\WINDOWS\system32\ati2dvag.dll
    2008-09-12 00:09:43 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
    2008-09-12 00:09:43 ----N---- C:\WINDOWS\system32\ati2cqag.dll
    2008-09-12 00:09:40 ----N---- C:\WINDOWS\system32\aaclient.dll
    2008-09-10 02:00:27 ----HDC---- C:\WINDOWS\$NtUninstallKB938464_0$
    2008-09-08 12:20:20 ----A---- C:\WINDOWS\system32\ptpusb.dll
    2008-09-08 12:20:19 ----A---- C:\WINDOWS\system32\ptpusd.dll
    2008-09-05 23:30:42 ----N---- C:\WINDOWS\system32\WgaLogon.dll
    2008-09-05 23:29:58 ----N---- C:\WINDOWS\system32\WgaTray.exe
    2008-08-29 20:06:44 ----A---- C:\WINDOWS\system32\msxml6.dll

    ======List of files/folders modified in the last 3 months======

    2008-11-13 15:03:11 ----A---- C:\WINDOWS\cfgall.ini
    2008-11-13 14:56:41 ----D---- C:\WINDOWS\system32
    2008-11-13 14:56:41 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
    2008-11-13 14:53:14 ----D---- C:\Documents and Settings\jessicaf\Application Data\AdobeUM
    2008-11-13 14:53:11 ----D---- C:\WINDOWS\Temp
    2008-11-13 14:52:37 ----D---- C:\WINDOWS\system32\drivers
    2008-11-13 14:51:43 ----A---- C:\WINDOWS\SchedLgU.Txt
    2008-11-13 14:47:29 ----SHD---- C:\WINDOWS\Installer
    2008-11-13 14:47:05 ----RD---- C:\Program Files
    2008-11-13 14:44:10 ----D---- C:\Program Files\Common Files
    2008-11-13 14:33:12 ----D---- C:\WINDOWS
    2008-11-13 14:33:05 ----D---- C:\WINDOWS\security
    2008-11-13 13:26:01 ----HD---- C:\WINDOWS\inf
    2008-11-13 13:25:59 ----RSHD---- C:\WINDOWS\system32\dllcache
    2008-11-13 13:25:52 ----A---- C:\WINDOWS\imsins.BAK
    2008-11-13 12:01:49 ----HD---- C:\WINDOWS\$hf_mig$
    2008-11-13 12:01:42 ----D---- C:\WINDOWS\system32\CatRoot2
    2008-11-13 11:31:22 ----D---- C:\Program Files\Trend Micro
    2008-11-13 11:27:24 ----SHD---- C:\WINDOWS\CSC
    2008-11-13 11:03:05 ----A---- C:\WINDOWS\OEWABLog.txt
    2008-11-13 11:01:46 ----A---- C:\WINDOWS\setuplog.txt
    2008-11-13 11:01:14 ----D---- C:\WINDOWS\system32\wbem
    2008-11-13 11:01:14 ----D---- C:\WINDOWS\system32\Setup
    2008-11-13 11:01:14 ----D---- C:\WINDOWS\ime
    2008-11-13 11:01:14 ----D---- C:\WINDOWS\AppPatch
    2008-11-13 11:01:14 ----D---- C:\Program Files\Messenger
    2008-11-13 11:01:13 ----RSD---- C:\WINDOWS\Fonts
    2008-11-13 09:09:14 ----D---- C:\WINDOWS\system32\CatRoot
    2008-11-13 09:03:17 ----D---- C:\WINDOWS\WinSxS
    2008-11-13 09:03:08 ----D---- C:\Program Files\Windows Media Player
    2008-11-13 09:02:43 ----D---- C:\WINDOWS\system32\inetsrv
    2008-11-13 09:02:42 ----D---- C:\WINDOWS\network diagnostic
    2008-11-13 09:02:42 ----D---- C:\WINDOWS\Help
    2008-11-13 09:02:25 ----D---- C:\WINDOWS\system32\en-US
    2008-11-13 09:02:24 ----D---- C:\WINDOWS\system32\usmt
    2008-11-13 09:02:22 ----D---- C:\WINDOWS\PeerNet
    2008-11-13 09:02:21 ----D---- C:\Program Files\Movie Maker
    2008-11-13 08:58:53 ----D---- C:\WINDOWS\system32\Restore
    2008-11-13 08:58:53 ----D---- C:\WINDOWS\system32\npp
    2008-11-13 08:58:53 ----D---- C:\WINDOWS\mui
    2008-11-13 08:58:52 ----D---- C:\WINDOWS\msagent
    2008-11-13 08:58:50 ----D---- C:\WINDOWS\srchasst
    2008-11-13 08:58:49 ----D---- C:\Program Files\NetMeeting
    2008-11-13 08:58:48 ----D---- C:\WINDOWS\system32\Com
    2008-11-13 08:58:44 ----D---- C:\Program Files\Windows NT
    2008-11-13 08:58:43 ----D---- C:\Program Files\Outlook Express
    2008-11-13 08:58:41 ----D---- C:\Program Files\Common Files\System
    2008-11-13 08:58:25 ----D---- C:\WINDOWS\system32\oobe
    2008-11-13 08:58:23 ----D---- C:\WINDOWS\system
    2008-11-13 08:55:52 ----D---- C:\WINDOWS\system32\ReinstallBackups
    2008-11-13 08:53:52 ----D---- C:\WINDOWS\ehome
    2008-11-13 08:41:13 ----A---- C:\WINDOWS\cfgrs_ex.ini
    2008-11-13 08:41:13 ----A---- C:\WINDOWS\cfgrs.ini
    2008-11-06 16:47:53 ----SHD---- C:\System Volume Information
    2008-11-03 18:10:25 ----A---- C:\WINDOWS\system32\MRT.exe
    2008-10-29 13:00:12 ----SD---- C:\Documents and Settings\jessicaf\Application Data\Microsoft
    2008-10-29 13:00:12 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
    2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuweb.dll
    2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuaueng.dll
    2008-10-16 14:12:22 ----A---- C:\WINDOWS\system32\wucltui.dll
    2008-10-16 14:12:20 ----A---- C:\WINDOWS\system32\wuapi.dll
    2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wups2.dll
    2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
    2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\cdm.dll
    2008-10-16 14:09:40 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
    2008-10-16 14:08:58 ----A---- C:\WINDOWS\system32\wups.dll
    2008-10-16 14:07:44 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
    2008-10-16 14:07:14 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
    2008-10-15 10:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
    2008-10-15 02:01:49 ----D---- C:\Program Files\Internet Explorer
    2008-10-03 11:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll
    2008-09-12 10:13:53 ----D---- C:\WINDOWS\Microsoft.NET
    2008-09-12 10:13:44 ----RSD---- C:\WINDOWS\assembly
    2008-09-12 09:40:24 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-09-12 09:39:14 ----D---- C:\Program Files\Common Files\Microsoft Shared
    2008-09-12 09:37:55 ----D---- C:\Program Files\Microsoft SQL Server
    2008-09-12 09:31:55 ----D---- C:\WINDOWS\system32\1033
    2008-09-12 09:26:52 ----D---- C:\WINDOWS\Registration
    2008-09-11 23:54:42 ----D---- C:\WINDOWS\Debug
    2008-09-05 23:30:06 ----N---- C:\WINDOWS\system32\LegitCheckControl.dll
    2008-09-04 11:15:04 ----A---- C:\WINDOWS\system32\msxml3.dll
    2008-08-27 02:24:32 ----A---- C:\WINDOWS\system32\mshtml.dll
    2008-08-26 01:24:31 ----A---- C:\WINDOWS\system32\wininet.dll
    2008-08-26 01:24:31 ----A---- C:\WINDOWS\system32\webcheck.dll
    2008-08-26 01:24:31 ----A---- C:\WINDOWS\system32\urlmon.dll
    2008-08-26 01:24:30 ----N---- C:\WINDOWS\system32\mstime.dll
    2008-08-26 01:24:30 ----N---- C:\WINDOWS\system32\msrating.dll
    2008-08-26 01:24:30 ----N---- C:\WINDOWS\system32\jsproxy.dll
    2008-08-26 01:24:30 ----A---- C:\WINDOWS\system32\url.dll
    2008-08-26 01:24:30 ----A---- C:\WINDOWS\system32\pngfilt.dll
    2008-08-26 01:24:30 ----A---- C:\WINDOWS\system32\occache.dll
    2008-08-26 01:24:30 ----A---- C:\WINDOWS\system32\mshtmled.dll
    2008-08-26 01:24:30 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
    2008-08-26 01:24:30 ----A---- C:\WINDOWS\system32\msfeeds.dll
    2008-08-26 01:24:29 ----N---- C:\WINDOWS\system32\iernonce.dll
    2008-08-26 01:24:29 ----N---- C:\WINDOWS\system32\iedkcs32.dll
    2008-08-26 01:24:29 ----A---- C:\WINDOWS\system32\iertutil.dll
    2008-08-26 01:24:28 ----N---- C:\WINDOWS\system32\ieaksie.dll
    2008-08-26 01:24:28 ----N---- C:\WINDOWS\system32\ieakeng.dll
    2008-08-26 01:24:28 ----N---- C:\WINDOWS\system32\extmgr.dll
    2008-08-26 01:24:28 ----A---- C:\WINDOWS\system32\ieapfltr.dll
    2008-08-26 01:24:28 ----A---- C:\WINDOWS\system32\icardie.dll
    2008-08-26 01:24:28 ----A---- C:\WINDOWS\system32\dxtrans.dll
    2008-08-26 01:24:28 ----A---- C:\WINDOWS\system32\dxtmsft.dll
    2008-08-26 01:24:28 ----A---- C:\WINDOWS\system32\advpack.dll
    2008-08-25 02:38:00 ----A---- C:\WINDOWS\system32\ieudinit.exe
    2008-08-25 02:37:59 ----N---- C:\WINDOWS\system32\ie4uinit.exe
    2008-08-22 23:54:51 ----N---- C:\WINDOWS\system32\ieakui.dll
    2008-08-14 04:09:26 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
    2008-08-14 03:33:16 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
    R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-12-02 5627]
    R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-12-02 23545]
    R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2007-08-31 78864]
    R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
    R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-12-23 40544]
    R2 PGPdisk;PGPdisk; C:\WINDOWS\system32\drivers\PGPdisk.sys [2007-08-10 224256]
    R2 PGPsdkDriver;PGPsdkDriver; C:\WINDOWS\System32\Drivers\PGPsdk.sys [2007-08-10 33792]
    R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-02-25 25725]
    R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-02-25 34845]
    R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-02-25 4125]
    R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-02-25 2241]
    R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-02-25 86684]
    R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-02-25 14877]
    R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-02-25 6365]
    R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-02-25 98716]
    R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-02-25 100605]
    R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
    R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys []
    R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys []
    R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys []
    R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2003-03-13 100224]
    R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2005-04-05 132352]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-11-04 3519360]
    R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]
    R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2007-04-20 307984]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
    S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2008-04-13 42752]
    S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
    S3 Blfp;Broadcom Advanced Server Program Driver; C:\WINDOWS\system32\DRIVERS\baspxp32.sys [2005-03-04 65664]
    S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
    S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
    S3 i81x;i81x; C:\WINDOWS\system32\DRIVERS\i81xnt5.sys [2004-08-03 161020]
    S3 iAimFP0;iAimFP0; C:\WINDOWS\system32\DRIVERS\wADV01nt.sys [2004-08-03 12415]
    S3 iAimFP1;iAimFP1; C:\WINDOWS\system32\DRIVERS\wADV02NT.sys [2004-08-03 12127]
    S3 iAimFP2;iAimFP2; C:\WINDOWS\system32\DRIVERS\wADV05NT.sys [2004-08-03 11775]
    S3 iAimFP3;iAimFP3; C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys [2004-08-03 12063]
    S3 iAimFP4;iAimFP4; C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys [2004-08-03 19455]
    S3 iAimFP5;iAimFP5; C:\WINDOWS\system32\DRIVERS\wADV07nt.sys [2004-08-03 11807]
    S3 iAimFP6;iAimFP6; C:\WINDOWS\system32\DRIVERS\wADV08nt.sys [2004-08-03 11295]
    S3 iAimFP7;iAimFP7; C:\WINDOWS\system32\DRIVERS\wADV09nt.sys [2004-08-03 11871]
    S3 iAimTV0;iAimTV0; C:\WINDOWS\system32\DRIVERS\wATV01nt.sys [2004-08-03 29311]
    S3 iAimTV1;iAimTV1; C:\WINDOWS\system32\DRIVERS\wATV02NT.sys [2004-08-03 19551]
    S3 iAimTV3;iAimTV3; C:\WINDOWS\system32\DRIVERS\wATV04nt.sys [2004-08-03 33599]
    S3 iAimTV4;iAimTV4; C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys [2004-08-03 23615]
    S3 iAimTV5;iAimTV5; C:\WINDOWS\system32\DRIVERS\wATV10nt.sys [2004-08-03 25471]
    S3 iAimTV6;iAimTV6; C:\WINDOWS\system32\DRIVERS\wATV06nt.sys [2004-08-03 22271]
    S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
    S4 adpu320;adpu320; C:\WINDOWS\system32\DRIVERS\adpu320.sys [2002-05-08 105472]
    S4 iaStor;Intel RAID Controller; C:\WINDOWS\System32\DRIVERS\iaStor.sys [2004-10-19 478208]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
    S4 Symmpi;Symmpi; C:\WINDOWS\system32\DRIVERS\symmpi.sys [2002-04-03 28416]

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-13 152984]
    R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-01-20 73728]
    R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
    R2 MSSQL$JESSICAB;MSSQL$JESSICAB; C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe [2000-08-06 7442493]
    R2 ntrtscan;OfficeScanNT RealTime Scan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [2007-12-11 779632]
    R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-11-04 143427]
    R2 pdfcDispatcher;PDF Document Manager; C:\Program Files\PDF Complete\pdfsvc.exe [2005-03-06 476160]
    R2 PGPserv;PGPserv; C:\WINDOWS\system32\PGPserv.exe [2007-08-10 92672]
    R2 r_server;Remote Administrator Service; C:\WINDOWS\system32\r_server.exe [2005-06-21 724992]
    R2 RetroLauncher;Retrospect Launcher; C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe [2005-06-10 73728]
    R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
    R2 SQLAgent$JESSICAB;SQLAgent$JESSICAB; C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe [2000-08-06 303170]
    R2 tmlisten;OfficeScan NT Listener; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [2007-12-11 808304]
    R2 UPHClean;User Profile Hive Cleanup; C:\Program Files\UPHClean\uphclean.exe [2005-04-27 241725]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
    S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
    S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
    S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2000-08-06 65602]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
    S3 Reflection Servers;Reflection Servers; C:\Program Files\Reflection\rninetd.exe [1998-08-27 98816]
    S3 TmPfw;OfficeScan NT Firewall; C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe [2007-04-04 943696]
    S3 TmProxy;OfficeScan NT Proxy Service; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [2007-04-27 575064]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
    S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

    -----------------EOF-----------------
     
    jfadal,
    #1
  2. 2008/11/13
    jfadal

    jfadal Inactive Thread Starter

    Joined:
    2008/11/13
    Messages:
    5
    Likes Received:
    0
    IE Redirect Issue Part 2

    Canceled post
     
    Last edited: 2008/11/13
    jfadal,
    #2


  3. to hide this advert.

  4. 2008/11/15
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS jfadal :)

    Download ComboFix by sUBs from here, saving the file to your desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click ComboFix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #3
  5. 2008/11/25
    jfadal

    jfadal Inactive Thread Starter

    Joined:
    2008/11/13
    Messages:
    5
    Likes Received:
    0
    combofix log:
    ComboFix 08-11-24.03 - jessicaf 2008-11-25 11:31:06.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2613 [GMT -6:00]
    Running from: c:\documents and settings\jessicaf\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\IE4 Error Log.txt
    c:\windows\system32\ntnet.drv
    c:\windows\system32\sysaudio.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_R_SERVER
    -------\Service_r_server


    ((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
    .

    2008-11-18 08:29 . 2008-11-18 08:29 0 --a------ c:\windows\nsreg.dat
    2008-11-17 09:10 . 2008-11-19 13:56 664 --a------ c:\windows\system32\d3d9caps.dat
    2008-11-13 17:21 . 2008-11-13 17:21 <DIR> d-------- C:\rsit
    2008-11-13 14:47 . 2008-11-13 14:47 <DIR> d-------- c:\program files\Java
    2008-11-13 14:47 . 2008-11-13 14:47 410,976 --a------ c:\windows\system32\deploytk.dll
    2008-11-13 14:47 . 2008-11-13 14:47 73,728 --a------ c:\windows\system32\javacpl.cpl
    2008-11-13 14:30 . 2008-11-13 14:30 <DIR> d-------- c:\program files\UPHClean
    2008-11-13 09:02 . 2008-11-13 09:02 <DIR> d-------- c:\windows\system32\scripting
    2008-11-13 09:02 . 2008-11-13 09:02 <DIR> d-------- c:\windows\system32\en
    2008-11-13 09:02 . 2008-11-13 09:02 <DIR> d-------- c:\windows\system32\bits
    2008-11-13 09:02 . 2008-11-13 09:02 <DIR> d-------- c:\windows\l2schemas
    2008-11-13 08:59 . 2008-11-13 09:03 <DIR> d-------- c:\windows\ServicePackFiles
    2008-11-12 17:43 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-25 17:35 --------- d-----w c:\documents and settings\jessicaf\Application Data\AdobeUM
    2008-11-20 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
    2008-11-13 17:31 --------- d-----w c:\program files\Trend Micro
    2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
    2006-12-21 22:02 88 --sh--r c:\windows\system32\BDA70BBF2B.sys
    2006-12-21 22:02 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
    @= "{3DBF5F01-3287-46EB-82CF-45AA5C241162} "
    [HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
    2007-08-10 15:27 598016 --a------ c:\windows\system32\PGPfsshl.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
    "updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp "= "c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
    "DrvLsnr "= "c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2005-11-04 7204864]
    "dla "= "c:\windows\system32\dla\tfswctrl.exe" [2005-02-25 127037]
    "ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "PDF Complete "= "c:\program files\PDF Complete\pdfsty.exe" [2005-03-06 276480]
    "Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
    "Client Access Service "= "c:\program files\IBM\Client Access\cwbsvstr.exe" [2004-01-23 20530]
    "Client Access Help Update "= "c:\program files\IBM\Client Access\cwbinhlp.exe" [2004-01-23 24626]
    "Client Access Check Version "= "c:\program files\IBM\Client Access\cwbckver.exe" [2004-01-23 45106]
    "Client Access Express Welcome "= "c:\program files\IBM\Client Access\cwbwlwiz.exe" [2004-01-23 20480]
    "Client Access PC5250 Sound "= "c:\program files\IBM\Client Access\Emulator\pcssnd.exe" [2004-01-23 40960]
    "OfficeScanNT Monitor "= "c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 710000]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-11-13 136600]
    "nwiz "= "nwiz.exe" [2005-11-04 c:\windows\system32\nwiz.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-06-20 25214]
    PGPtray.exe.lnk - c:\windows\Installer\{882025A7-7599-4989-8FCD-7604FB90D6A9}\Icon6560581611.exe [2008-01-17 55296]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-06-21 69632]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-23 415072]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=PGPmapih.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux "= sysaudio.sys

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli PGPpwflt

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    R0 pgpfs;PGP File Sharing;c:\windows\system32\Drivers\PGPfsfd.sys [2007-08-10 97792]
    R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2007-08-10 168960]
    R2 MSSQL$JESSICAB;MSSQL$JESSICAB;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sJESSICAB []
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [2006-05-27 476160]
    R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2007-08-10 224256]
    R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\Drivers\PGPsdk.sys [2007-08-10 33792]
    R2 SQLAgent$JESSICAB;SQLAgent$JESSICAB;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i JESSICAB []
    S4 msvsmon80;Visual Studio 2005 Remote Debugger; "c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\jessicaf\Application Data\Mozilla\Firefox\Profiles\e6gyhbyv.default\
    FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
    FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
    FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
    FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-25 11:34:45
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
    "ImagePath "= "c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1012)
    c:\windows\system32\PGPlsp.dll

    - - - - - - - > 'lsass.exe'(1068)
    c:\windows\system32\PGPlsp.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\progra~1\MI6841~1\MSSQL$~1\Binn\sqlservr.exe
    c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\PDF Complete\pdfsvc.exe
    c:\windows\system32\PGPserv.exe
    c:\program files\Dantz\Retrospect 7.0\retrorun.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\UPHClean\uphclean.exe
    c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
    c:\progra~1\MI6841~1\MSSQL$~1\Binn\sqlagent.exe
    c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
    c:\windows\Temp\EN5D59.EXE
    c:\windows\system32\rundll32.exe
    c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
    .
    **************************************************************************
    .
    Completion time: 2008-11-25 11:36:50 - machine was rebooted [jessicaf]
    ComboFix-quarantined-files.txt 2008-11-25 17:36:47

    Pre-Run: 34,335,965,184 bytes free
    Post-Run: 48,530,632,704 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    157 --- E O F --- 2008-11-13 19:26:01
     
    jfadal,
    #4
  6. 2008/11/25
    jfadal

    jfadal Inactive Thread Starter

    Joined:
    2008/11/13
    Messages:
    5
    Likes Received:
    0
    New HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:38, on 2008-11-25
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\WINDOWS\system32\PGPserv.exe
    C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe
    C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
    C:\WINDOWS\TEMP\EN5D59.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\PDF Complete\pdfsty.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\pccnt.exe
    C:\WINDOWS\system32\mstsc.exe
    C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wacointranet/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe "
    O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe "
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe "
    O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe "
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: PGPtray.exe.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.6.37:4343/officescan/console/html/ClientInstall/WinNTChk.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.6.37:4343/officescan/console/html/ClientInstall/setup.cab
    O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.6.37:4343/officescan/console/html/root/AtxEnc.cab
    O16 - DPF: {427BD09A-B354-4AF3-89CC-7EB3B315554B} (HWAUCtrl Class) - http://edmsdev:8080/bizflow/controls/hwau.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.6.37:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
    O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - http://brazosreports/crystalreportviewers10/ActiveXControls/PrintControl.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qliktech.webex.com/client/T25L/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BHESC.ORG
    O17 - HKLM\Software\..\Telephony: DomainName = BHESC.ORG
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D84D79DA-768F-44BD-B541-5574514EDE4E}: NameServer = 192.168.6.202,192.168.5.35
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BHESC.ORG
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BHESC.ORG
    O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files\QlikView\QvProtocol\qvp.dll
    O20 - AppInit_DLLs: PGPmapih.dll
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
    O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
    O23 - Service: Reflection Servers - WRQ, Inc. - C:\Program Files\Reflection\rninetd.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
    O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

    --
    End of file - 11936 bytes
     
    jfadal,
    #5
  7. 2008/11/25
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Are you still experiencing problems with Google?
     
    noahdfear,
    #6
  8. 2008/11/26
    jfadal

    jfadal Inactive Thread Starter

    Joined:
    2008/11/13
    Messages:
    5
    Likes Received:
    0
    No, it seems to be working fine.
     
    jfadal,
    #7
  9. 2008/11/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Logs look good to. Lets get an online scan to be sure we haven't missed something. Please do an online scan with Kaspersky Online Scanner

    Click Accept, when prompted to download and install the program files and database of malware definitions.
    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
    **Note**

    To optimize scanning time and produce a more sensible report for review:
    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


    Post the Kaspersky log here.
     
    noahdfear,
    #8
  10. 2008/11/27
    fknvirus

    fknvirus Inactive

    Joined:
    2008/11/27
    Messages:
    1
    Likes Received:
    0
    Google redirect malware

    What could be the exact reason of getting infected by this??:confused:
     
    fknvirus,
    #9

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...