trojan.wimad on Vista: whats it doing?

AfterDawn.com

Mobile/PDA About Us Advertise here


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Sunday 5.7.2009 / 01:12

Search:

In English

Suomeksi

På svenska

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > trojan.wimad on vista: whats it doing?

Browse by topic

Forums

Forums

Start a new thread

trojan.wimad on Vista: whats it doing?

Jump to:

Posted

Message

IronRisng

Junior Member

20. June 2008 @ 20:38

Link to this message

Opened up a video file from a friend the other night and my Symantec AntiVirus popped up with a running scan warning telling me it had found trojan.wimad and had deleted it. I thought no big deal. but then the window came up again, and i left it open, and it deleted it again, but then the list started to grow, and every time it deleted it, there would be another entry about 30 seconds later of the same trojan.wimad being deleted, just with a different file name.

so i freaked, looked it up on their website, and ran a full system scan with my internet unplugged. didn't find anything, and the list continued to grow. so then today after waking up and finding no solution with the scan, i decided to update Symantec even though I had updated it only 2 days ago. Once I did, it stopped finding the trojan. I then also DLed and ran CCCleaner on my computer. The little box telling me it found a trojan is no longer popping up and I'm not sure if I should be worried. Any thoughts?

Advertisement

IronRisng

Junior Member

20. June 2008 @ 20:43

Link to this message

Also, is there any way to clean the video file and keep it? I had run a scan on his files initially and it found nothing until i opened the video file, but now I'm not sure if I have to delete it or not for certain. Remember, I ran a full system scan after it found the trojan which should have hit the original file and it still found nothing...thanks for any help you can provide

Senior Member

21. June 2008 @ 10:48

Link to this message

Hi IronRisng,

Let’s first do a generic cleanup and get some Logs so your problems can be analyzed…

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install SUPERAntiSpyware Free
• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)[/i]
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Reboot to Normal Mode

Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
• Doubleclick HJTInstall.exe to install it.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Copy/Paste the log to your next reply please.

Please reply with the HJT Log and SUPERAntiSpyware Log and we’ll go from there…..

2OG

There are three kinds of men:
The ones that learn by reading.
The few who learn by observation.
The rest of them have to pee on the electric fence and find out for themselves...

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

IronRisng

Junior Member

21. June 2008 @ 21:34

Link to this message

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:33 PM, on 6/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/d.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/d...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/d...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [INPROCOMMWireless] C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://symantec.student.unco.edu/secure/vista32/webinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9601 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/22/2008 at 01:21 PM

Application Version : 4.15.1000

Core Rules Database Version : 3487
Trace Rules Database Version: 1478

Scan type : Complete Scan
Total Scan Time : 00:58:03

Memory items scanned : 209
Memory threats detected : 0
Registry items scanned : 6073
Registry threats detected : 0
File items scanned : 76077
File threats detected : 0

So I'm guessing that this means that Symantec must have got the Trojan after all on its own?

Senior Member

22. June 2008 @ 11:44

Link to this message

Hi IronRisng,

From your logs, I’d say your CLEAN…

Quote:
Also, is there any way to clean the video file and keep it?

I, personally, would delete it and choose another “Friend” to send me files… LOL

I see you are using teatimer and ThreatFire, one of these should have caught it before it was installed and given you the option to stop it..

Your ZoneAlarm should have caught the “call home” and allowed you to block that…

I always suggest FireFox, I see you have it …. The new FireFox 3 is out..

Here are just a few suggestions: (I may not have time to include all links, just google)

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Be sure to check this out… I have over 300,000 bad sites Blocked on my computer. With this in place you cannot browse the sites and they cannot download to you…

I don’t like Symantec I use AntiVir. I use the paid version but if you can put up with the Nags the Free version it’s fantastic.

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then go to Start > Run and type: Cleanmgr
• Click "OK".
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Download ATF Cleaner by Atribune.
I'm not sure of the Vista version. They probably have it. I have Vista Ultimate that I can boot up, but don't like it.. I'll give up XP when they pry it from my cold dead hand.. LOL

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

For your Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
Run this at least once a week…

Defragment your Hard Drive

1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.

Do this about once a week.. ( I have a schedule that defrags my drive every day using JKDefrag.exe )

2OG

If you have any questions, just holler, I'll leave this thread open.

There are three kinds of men:
The ones that learn by reading.
The few who learn by observation.
The rest of them have to pee on the electric fence and find out for themselves...

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

IronRisng

Junior Member

23. June 2008 @ 23:20

Link to this message

Awesome, thanks so much for the help. I went through and did everything you said, worked out well.

I figured all the same stuff you did with having teatimer and threatfire and zonealarm to stop anything that got into my system. Sometimes I worry if I'm overly paranoid trying to keep my system as clean as possible. I feel like ZA has done an amazing job as a free firewall, and I know you can never really protect yourself, but is there a setup of programs that leaves a user the most protected? I'm sure everyone has preferences, but for instance I didn't feel too secure about being protected against keyloggers so that's the only reason I DLed Threatfire. Not sure if that is a logical step or an unnecessary one. I used to be on top of things, technologically speaking, but school started a few years back and it was just too time consuming to stay up to date with it all. Now I feel like someone might compare me to my grandpa in terms of what I know, haha.

So are there any recommendations about programs I can delete, ones worth adding or substituting compared with whats on my system already?

What do you also use instead of Symantec? My university provides it to us free so I figured big name attached to it and all, must be pretty good.

Also, I know there are a TON of guides out there, but do you have any specific recommendations for guides to help vista run faster? ive disabled things like the search indexing and whatnot. truth is, i hate vista but needed a laptop before my trip and nearly all of them these days come with only vista. bastards.

Senior Member

24. June 2008 @ 02:52

Link to this message

You are more than welcome, IronRisng. Just glad was able to help..

I will opine but, as you know, opinions are like a-holes, everybody has one…. LOL

IMHO, Using Teatimer AND ThreatFire is paranoia. I don’t use Teatimer because I don’t like it.. hehe I don’t use ThreatFire (it’s a great program) because it conflicts with IncrediMail (my wife’s e-mail client). Must keep peace on the Home Front…..
I use WinPatrol, the paid Plus version. It has a great, online data base for checking out strange programs I see in HJT Logs or in computers that I maintain at work..

I also use -> BOClean
Check it out. It stops Trojans and Malware, is very un-intrusive, works and it’s FREE.

I use MVPS Host File.
I use a larger version, but this is the best First line of defense you can have on a computer.

As far as Vista goes; Don’t like, don’t use it……..
I use XP Home version on my home computers and XP Pro on the computers at work because they are networked.
I do have Vista Ultimate in a duel boot on 2 of my home computers and play with it occasionally.

For Guides, I don’t know, but here’s a list, check some of these out => Vista features

I hope that gives you enough chewing gum for the brain…. Check it out, use what you like and throw the rest out the window…. LOL

Have a “Happy” :)

2OG

There are three kinds of men:
The ones that learn by reading.
The few who learn by observation.
The rest of them have to pee on the electric fence and find out for themselves...

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

IronRisng

Junior Member

30. June 2008 @ 10:32

Link to this message

Awesome. Thank you so much for all the help, I will use the wisdom the best way I know how: by using it! Thanks again!

SBlade

Newbie

23. July 2008 @ 16:35

Link to this message

Hi 2oldGeek - Thank you very much for your advice to IronRising; your guidelines helped me get rid of (I think) the same Trojan.

Here is the situation: I downloaded a program (my own fault, I know) that had the Trojan embedded in it; my Norton security scan caught it. I then realized that it wouldn't let me delete the files I had downloaded, saying they were "in use". I noted the name of the Trojan, and the specific place it said it was (in a random video file), and deleted that file. I then followed your instructions and have since deleted the original downloaded files that caused the program (they seem to have been "unlocked", so I'm hoping that means the virus is gone. Also, my computer appears to be running fairly normally).

Just to double check, I thought I would post my logs just to make sure everything is clear - I will then take your advice about the system restore points!

Thanks again!

hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:08 PM, on 23/07/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\taskeng.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...ilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...ilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RMClock] "C:\Program Files\RMClock\RMClock.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0202901216812924) (0202901216812924mcinstcleanup) - Unknown owner - C:\Windows\TEMP\020290~1.EXE (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10550 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/23/2008 at 12:58 PM

Application Version : 4.15.1000

Core Rules Database Version : 3513
Trace Rules Database Version: 1504

Scan type : Complete Scan
Total Scan Time : 01:57:43

Memory items scanned : 249
Memory threats detected : 0
Registry items scanned : 8095
Registry threats detected : 0
File items scanned : 214050
File threats detected : 0

Senior Member

23. July 2008 @ 22:37

Link to this message

SBlade,

Just one little detail in your log.

Fix entries using HiJackThis

Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now.

Click the Fix checked button and close HiJackThis

Use Windows Explorer to navigate to this folder and delete it.

C:\Windows\SMINST

With that, you should be Clean… Any problems? Let me know.

2oG

There are three kinds of men:
The ones that learn by reading.
The few who learn by observation.
The rest of them have to pee on the electric fence and find out for themselves...

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

SBlade

Newbie

25. July 2008 @ 13:42

Link to this message

Hi again - I did as you advised, and my computer is working perfectly now.

Thank you so much for your help!

s

Senior Member

26. July 2008 @ 08:41

Link to this message

You’re welcome SBlade.

Practice Safe Surfing ; )

2OG

There are three kinds of men:
The ones that learn by reading.
The few who learn by observation.
The rest of them have to pee on the electric fence and find out for themselves...

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

mvelker

Newbie

4. October 2008 @ 22:04

Link to this message

i know this hasnt been written on for a while, but hopefully i can get some help.
i think i have the same thing, and i ran the scans, i did everything, but the scans didnt find anything, and window still popped up.

heres the logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:08 PM, on 10/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\lkcitdl.exe
c:\WINDOWS\system32\lkads.exe
c:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Shared\Security\nidmsrv.exe
c:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Client\commagent.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.AgilentIOLibrariesService.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.NkoServer.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc488.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc82357.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Client\SpySweeperUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iprocsvr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc8491.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Webroot\Client\DWPHelper.exe
C:\Program Files\Webroot\Client\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sharkbyte] C:\Program Files\Grooveshark\sharkbyte.exe -m
O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.exe"
O4 - HKLM\..\Run: [NI Background Service] c:\Program Files\Shared\Update Service\BackgroundService.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: IO Control.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1183123664671
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windo...ggPublisher.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agilent IO Libraries Service (AgilentIOLibrariesService) - Agilent - C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.AgilentIOLibrariesService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - c:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - c:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - c:\WINDOWS\system32\lktsrv.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - c:\Program Files\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - c:\Program Files\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - c:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 15565 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/04/2008 at 06:37 PM

Application Version : 4.21.1004

Core Rules Database Version : 3588
Trace Rules Database Version: 1575

Scan type : Complete Scan
Total Scan Time : 03:31:38

Memory items scanned : 199
Memory threats detected : 0
Registry items scanned : 8350
Registry threats detected : 0
File items scanned : 258153
File threats detected : 0

Senior Member

4. October 2008 @ 23:55

Link to this message

Hi mvelker,

(1.) Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.

• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.

• Be sure that everything is checked, and click Remove Selected. << Do Not Forget This!!

• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Please post contents of that file in your next reply.

(2.) Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.
Quote:

"%userprofile%\desktop\combofix.exe" /killall

ComboFix will begin to run DO NOTHING while this is happening.
• It will kill a few processes and disconnect you from the internet.
• If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
• This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

** If when it's completed you can not get on the internet just reboot the computer.

(3.) Please post the log from comboFix for me located in c:\comboFix.txt, also the MBAM Log and a fresh HijackThis Log.

2OG

There are three kinds of men:
The ones that learn by reading.
The few who learn by observation.
The rest of them have to pee on the electric fence and find out for themselves...

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

mvelker

Newbie

7. October 2008 @ 08:51

Link to this message

ok, i tried to do everything, but i had some problems...
first i ran the malwarebytes program, and within the first 5 min it found 24 infected objects, it continued to scan, and i let it keep going for at least 30 hours, it still only had those same 24 objects found. then for some reason when i returned to my computer the program was no longer up and there was no log created. so i ran the scan again only long enough so that it could find those 24 objects again, then i stopped it. the log for that is posted below.
then i tried to do the combofix thing, but for some reason only a progress bar popped up for a few seconds that said combofix, and then it disappeared and nothing else happened; nothing changed, i didnt even lose internet connection. so i dont have a combofix log.
i ran the hijacks scan again though and that is posted as well. im not really sure what else i could do.

Malwarebytes' Anti-Malware 1.28
Database version: 1230
Windows 5.1.2600 Service Pack 2

10/6/2008 9:35:02 PM
mbam-log-2008-10-06 (21-35-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 26948
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 23
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:05 AM, on 10/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\lkcitdl.exe
c:\WINDOWS\system32\lkads.exe
c:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Shared\Security\nidmsrv.exe
c:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Client\commagent.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.AgilentIOLibrariesService.exe
C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.NkoServer.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc488.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc82357.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Client\SpySweeperUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iprocsvr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc8491.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\chcp.com
C:\Program Files\Webroot\Client\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sharkbyte] C:\Program Files\Grooveshark\sharkbyte.exe -m
O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.exe"
O4 - HKLM\..\Run: [NI Background Service] c:\Program Files\Shared\Update Service\BackgroundService.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: IO Control.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1183123664671
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agilent IO Libraries Service (AgilentIOLibrariesService) - Agilent - C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.AgilentIOLibrariesService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - c:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - c:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - c:\WINDOWS\system32\lktsrv.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - c:\Program Files\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - c:\Program Files\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - c:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 15165 bytes

Senior Member

8. October 2008 @ 04:44

Link to this message

@mvelker,

I cannot see anything specific in your HJT log and about all that shows up in the piece of MBAM Log is just AdWare…

We really need to be able to run ComboFix in order to see what the underlying problem is.

Let’s try a couple of things – you must understand that this is just trial and error and may take a little time..

Go to > Start > Run > in the box type sfc /scannow and then click OK

This will take some time for a scan. Please let me know the outcome….
If you are asked to insert a disk in the CD drive, please insert the disk that came with the computer or an operating system disk. If you do not have a disk, just stop the program and let me know that it asked…

Next:

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Run Malwarebytes' Anti-Malware,
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Reboot to Normal Mode

• Please post the MBAM Log and a fresh HJT log in your next reply.

2OG

There are three kinds of men:
The ones that learn by reading.
The few who learn by observation.
The rest of them have to pee on the electric fence and find out for themselves...

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

mvelker

Newbie

8. October 2008 @ 12:43

Link to this message

ok, i thought that i posted this earlier, but i guess it didnt go through.
i got the combofix to work, so ive posted the log for that and a fresh hijacks log.

let me know if i still have to do the malwarebytes thing again in safe mode still

ComboFix 08-10-07.06 - velkermr 2008-10-07 19:29:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1458 [GMT -4:00]
Running from: C:\Documents and Settings\velkermr\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://windowsupdate.udayton.edu
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-07 13:49 . 2008-10-07 13:49 <DIR> d-------- C:\Program Files\iPod
2008-10-07 13:49 . 2008-10-07 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-05 13:44 . 2008-10-05 13:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-05 13:44 . 2008-10-05 13:44 <DIR> d-------- C:\Documents and Settings\velkermr\Application Data\Malwarebytes
2008-10-05 13:44 . 2008-10-05 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-05 13:44 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 13:44 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 21:12 . 2008-10-04 21:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-04 14:49 . 2008-10-04 14:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-04 14:49 . 2008-10-04 14:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-04 14:49 . 2008-10-04 14:49 <DIR> d-------- C:\Documents and Settings\velkermr\Application Data\SUPERAntiSpyware.com
2008-10-04 14:49 . 2008-10-04 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-03 17:19 . 2008-10-03 17:19 <DIR> d-------- C:\Converted
2008-10-01 09:12 . 2008-10-01 09:12 10,240 --ahs---- C:\WINDOWS\Thumbs.db
2008-09-30 18:30 . 2008-10-01 09:02 <DIR> d-------- C:\Program Files\Crawler
2008-09-29 14:41 . 2008-09-29 14:41 <DIR> d-------- C:\Documents and Settings\velkermr\Application Data\Agilent
2008-09-29 14:41 . 2008-09-29 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Agilent
2008-09-29 14:40 . 2008-09-29 14:40 <DIR> d-------- C:\Program Files\VISA-COM
2008-09-29 14:40 . 2008-09-29 14:40 <DIR> d-------- C:\Program Files\IVI Foundation
2008-09-29 14:40 . 2008-09-29 14:54 <DIR> d-------- C:\Program Files\Common Files\Agilent
2008-09-29 14:40 . 2008-09-29 14:54 <DIR> d-------- C:\Program Files\Agilent
2008-09-29 14:40 . 2008-09-29 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IVI Foundation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 23:36 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-10-07 17:49 --------- d-----w C:\Program Files\iTunes
2008-10-03 21:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-29 18:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-23 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-14 14:26 --------- d-----w C:\Program Files\AIMTunes
2008-09-13 04:39 --------- d-----w C:\Program Files\Bonjour
2008-09-13 04:35 --------- d-----w C:\Program Files\QuickTime
2008-09-13 04:33 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-09 23:37 --------- d-----w C:\Documents and Settings\velkermr\Application Data\Move Networks
2008-09-09 00:10 --------- d-----w C:\Documents and Settings\velkermr\Application Data\goombah
2008-09-08 20:05 --------- d-----w C:\Documents and Settings\velkermr\Application Data\Ruckus Network
2008-09-03 15:10 --------- d-----w C:\Documents and Settings\velkermr\Application Data\MathWorks
2008-08-28 20:10 --------- d-----w C:\Program Files\Circuit Design Suite 10.1
2008-08-28 19:57 --------- d-----w C:\Documents and Settings\velkermr\Application Data\National Instruments
2008-08-28 19:55 --------- d-----w C:\Program Files\HI-TECH Software
2008-08-28 19:54 --------- d-----w C:\Program Files\Shared
2008-08-28 19:54 --------- d-----w C:\Program Files\RT Images
2008-08-28 19:54 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-08-28 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\National Instruments
2008-08-27 15:25 --------- d-----w C:\Program Files\Project64 1.6
2008-08-27 15:24 --------- d-----w C:\Program Files\Kiran's Typing Tutor
2008-08-27 15:19 --------- d-----w C:\Program Files\MatLab
2008-08-19 14:43 --------- d-----w C:\Program Files\Apple Software Update
2008-08-15 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-15 19:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot
2008-08-11 23:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-02-08 14:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 22:03 118,784 ----a-w C:\Program Files\internet explorer\plugins\LV85ActiveXControl.dll
2008-05-30 05:00 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-30 05:00 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-03 68856]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-25 271872]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-06-18 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-18 688218]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NDPS"="C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="C:\WINDOWS\system32\zentray.exe" [2005-05-18 40960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-12-20 125632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Snippet"="C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-29 151552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2006-10-18 40960]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2006-10-18 45056]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 176128]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WebrootClientUI"="C:\Program Files\Webroot\Client\SpySweeperUI.exe" [2008-07-16 435616]
"NI Background Service"="c:\Program Files\Shared\Update Service\BackgroundService.exe" [2008-04-03 77824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 C:\WINDOWS\stsystra.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 C:\WINDOWS\system32\nwtray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlpo_01"="md %USERPROFILE%\Local Settings\Temp" [X]
"nlpo_02"="advpack.dll" [2008-06-23 C:\WINDOWS\system32\advpack.dll]
"nlpo_03"="advpack.dll" [2008-06-23 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\velkermr\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [2006-06-13 35840]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
IO Control.lnk - C:\WINDOWS\Installer\{973FF72F-4B14-4A08-BA8C-A4FA5F0EC0F4}\NewShortcut2.53194037_DDF3_483C_97E9_67D689D47D96.exe [2008-09-29 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "C:\Program Files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 04:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 09:17 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 03:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 10:18 32256 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpmw32.exe"=
"C:\\Program Files\\Novell\\ZENworks\\RemoteManagement\\RMAgent\\ZenRem32.exe"=
"C:\\Misc\\Symantec Antivirus CE\\DownloadXDB.exe"=
"C:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"C:\\Program Files\\Java\\jdk1.5.0_12\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jdk1.5.0_12\\jre\\bin\\java.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Agilent\\IO Libraries Suite\\bin\\siclland.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1761:TCP"= 1761:TCP:ZENworks Remote Management port
"1761:UDP"= 1761:UDP:ZENworks Remote Management port
"2967:TCP"= 2967:TCP:Symantec Antivirus v10 Client
"50000:TCP"= 50000:TCP:Webroot SpySweeper Client Service
"50001:TCP"= 50001:TCP:Webroot SpySweeper Sweep Now Function
"50002:TCP"= 50002:TCP:Webroot SpySweeper Poll Now Function
"50003:TCP"= 50003:TCP:Webroot SpySweeper Webroot Client Service
"5044:UDP"= 5044:UDP:LxiAllow
"5044:TCP"= 5044:TCP:LxiAllow
"319:UDP"= 319:UDP:LxiAllow
"320:UDP"= 320:UDP:LxiAllow
"111:UDP"= 111:UDP:SunRpcAllow
"111:TCP"= 111:TCP:SunRpcAllow

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2006-10-18 34671]
R2 AgilentIOLibrariesService;Agilent IO Libraries Service;C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.AgilentIOLibrariesService.exe [2007-09-28 45056]
R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys [2005-05-23 6899]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-10-23 4096]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 167936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2006-05-02 61440]
R3 FinePnt;FinePoint Innovations HID Driver;C:\WINDOWS\system32\DRIVERS\FpHidDrv.sys [2007-06-18 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;C:\WINDOWS\system32\DRIVERS\MSTabBtn.sys [2006-06-14 9600]
R3 msvad_simple;WTMDriver;C:\WINDOWS\system32\drivers\WTMDriver.sys [2007-09-29 51072]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [ ]
S3 agBootB;Agilent Technologies 82357B firmware download service;C:\WINDOWS\system32\DRIVERS\agt82357.sys [2007-09-27 35424]
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2004-01-22 39936]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 42112]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-10-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Performance Center - C:\Program Files\Ascentive\Performance Center\APCMain.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-NoteBurner - C:\Program Files\NoteBurner\VTBurnerGUI.exe
HKLM-Run-Sharkbyte - C:\Program Files\Grooveshark\sharkbyte.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
HKU-Default-Run-TabletWizard - C:\WINDOWS\help\wizard.hta

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\velkermr\Application Data\Mozilla\Firefox\Profiles\eyf3o6p2.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://att.my.yahoo.com/
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\nplv85win32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npnipp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 20:59:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xmlparse.dll

PROCESS: C:\WINDOWS\Explorer.exe
-> C:\Program Files\Novell\ZENworks\NLS\english\NalUIRes.dll
-> C:\WINDOWS\system32\NWSHLXNT.dll
-> C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
C:\Program Files\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Client\CommAgent.exe
C:\Program Files\Novell\ZENworks\WM.EXE
C:\Program Files\Webroot\Client\SPYSWEEPER.EXE
C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.NkoServer.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc82357.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc488.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\tabbtnu.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\tcserver.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iprocsvr.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc8491.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-10-07 21:13:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-08 01:13:46

Pre-Run: 10,875,654,144 bytes free
Post-Run: 12,194,279,424 bytes free

293 --- E O F --- 2008-09-25 10:00:35

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39, on 2008-10-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\lkcitdl.exe
c:\WINDOWS\system32\lkads.exe
c:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
c:\Program Files\Shared\Security\nidmsrv.exe
c:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Client\commagent.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.AgilentIOLibrariesService.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.NkoServer.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc82357.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Client\SpySweeperUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iprocsvr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc8491.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Client\DWPHelper.exe
C:\Program Files\Webroot\Client\SSU.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc488.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.exe"
O4 - HKLM\..\Run: [NI Background Service] c:\Program Files\Shared\Update Service\BackgroundService.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: IO Control.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1183123664671
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agilent IO Libraries Service (AgilentIOLibrariesService) - Agilent - C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.AgilentIOLibrariesService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - c:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - c:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - c:\WINDOWS\system32\lktsrv.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - c:\Program Files\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - c:\Program Files\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - c:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 15015 bytes

Senior Member

9. October 2008 @ 00:53

Link to this message

@mvelker,

Your Logs look clean……… Any Problems???

2OG

There are three kinds of men:
The ones that learn by reading.
The few who learn by observation.
The rest of them have to pee on the electric fence and find out for themselves...

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

mvelker

Newbie

9. October 2008 @ 09:43

Link to this message

no, no problems so far, but ill let you know if anything pops up.
thanks a bunch

mvelker

Newbie

13. October 2008 @ 13:51

Link to this message

well, everything was fine for a few days, i dont think that i did anything to get it back, but the Auto-Protect started finding things again (trojan.wimad)
i tried doing a combofix again, but it didnt do anything this time,
is there anything else i can do?

Senior Member

14. October 2008 @ 00:58

Link to this message

@ mvelker,

What Auto-Protect are you using??? Maybe spysweeper?

Try this:

Please download and install SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Reboot to Normal Mode

Please post the SUPERAntiSpyware Log in your next reply.

Also please post a fresh HJT Log just to see if you have picked up anything since the last one…

2OG

There are three kinds of men:
The ones that learn by reading.
The few who learn by observation.
The rest of them have to pee on the electric fence and find out for themselves...

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

mvelker

Newbie

16. October 2008 @ 11:45

Link to this message

the auto-protect is from Symantec AntiVirus.

i know that ive done the superantispyware scan before and it didnt work, but i tried it again anyway and it still didnt work.
so heres the log fron the scan and from hijacks.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/16/2008 at 02:33 AM

Application Version : 4.21.1004

Core Rules Database Version : 3599
Trace Rules Database Version: 1585

Scan type : Complete Scan
Total Scan Time : 04:15:07

Memory items scanned : 198
Memory threats detected : 0
Registry items scanned : 7795
Registry threats detected : 0
File items scanned : 289819
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\velkermr\Cookies\velkermr@revsci[1].txt
C:\Documents and Settings\velkermr\Cookies\velkermr@cdn.at.atwola[1].txt
C:\Documents and Settings\velkermr\Cookies\velkermr@ar.atwola[1].txt
C:\Documents and Settings\velkermr\Cookies\velkermr@advertising[1].txt
C:\Documents and Settings\velkermr\Cookies\velkermr@doubleclick[2].txt
C:\Documents and Settings\velkermr\Cookies\velkermr@atdmt[1].txt
C:\Documents and Settings\velkermr\Cookies\velkermr@at.atwola[1].txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:20 AM, on 2008-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\lotus\notes\nslsvice.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\lkcitdl.exe
c:\WINDOWS\system32\lkads.exe
c:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Shared\Security\nidmsrv.exe
c:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Client\commagent.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.AgilentIOLibrariesService.exe
C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.NkoServer.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc488.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc82357.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Client\SpySweeperUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Agilent\IO Libraries Suite\bin\iprocsvr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Agilent\IO Libraries Suite\bin\iproc8491.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Client\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.exe"
O4 - HKLM\..\Run: [NI Background Service] c:\Program Files\Shared\Update Service\BackgroundService.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: IO Control.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1183123664671
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agilent IO Libraries Service (AgilentIOLibrariesService) - Agilent - C:\Program Files\Agilent\IO Libraries Suite\Agilent.TMFramework.Connectivity.AgilentIOLibrariesService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - c:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - c:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - c:\WINDOWS\system32\lktsrv.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - c:\Program Files\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - c:\Program Files\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - c:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 14760 bytes

Advertisement

hotjazz

Newbie

20. October 2008 @ 21:58

Link to this message

OK I've read the instructions did all the scans and stuff and here are the logs. Nothing wrse than the blue screen of death at midnight..... So far today after all of this my computer seems to be running perfect. :) btw the babysitter is going to get her @$$ kicked LOL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:15 PM, on 20/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe
C:\WINDOWS\System32\wpcumi.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...ilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...ilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RosettaStoneLtdController - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13137 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/20/2008 at 06:21 PM

Application Version : 4.21.1004

Core Rules Database Version : 3555
Trace Rules Database Version: 1543

Scan type : Complete Scan
Total Scan Time : 01:35:58

Memory items scanned : 215
Memory threats detected : 0
Registry items scanned : 8364
Registry threats detected : 0
File items scanned : 182885
File threats detected : 39

Adware.Tracking Cookie
C:\Users\Home\AppData\Roaming\Microsoft\Windows\Cookies\Low\home@ad.associatedcontent[1].txt
C:\Users\Home\AppData\Roaming\Microsoft\Windows\Cookies\Low\home@ads.realtechnetwork[1].txt
C:\Users\Home\AppData\Roaming\Microsoft\Windows\Cookies\Low\home@dmtracker[1].txt
C:\Users\Home\AppData\Roaming\Microsoft\Windows\Cookies\Low\home@e-2dj6wfmislazaeq.stats.esomniture[2].txt
C:\Users\Home\AppData\Roaming\Microsoft\Windows\Cookies\Low\home@e-2dj6wjkyopcpilq.stats.esomniture[1].txt
C:\Users\Home\AppData\Roaming\Microsoft\Windows\Cookies\Low\home@e-2dj6wjliqmc5ceo.stats.esomniture[1].txt
C:\Users\Home\AppData\Roaming\Microsoft\Windows\Cookies\Low\home@rbc.bridgetrack[2].txt
C:\Users\Home\AppData\Roaming\Microsoft\Windows\Cookies\Low\home@tribalfusion[2].txt
C:\Users\Home\AppData\Roaming\Microsoft\Windows\Cookies\Low\home@www.googleadservices[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@2o7[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@ad.yieldmanager[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@adcentriconline[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@adinterax[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@ads.pointroll[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@ads.revsci[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@advertising[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@apmebf[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@atdmt[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@atwola[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@bluestreak[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@canoe.112.2o7[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@doubleclick[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@fastclick[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@media.adrevolver[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@media.mtvnservices[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@msnportal.112.2o7[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@overture[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@pathfinder[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@questionmarket[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@richmedia.yahoo[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@stats.manticoretechnology[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@statse.webtrendslive[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@tacoda[2].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@trafficmp[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@tribalfusion[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@viacom.adbureau[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\Low\the_babysitter@zedo[1].txt
C:\Users\The Babysitter\AppData\Roaming\Microsoft\Windows\Cookies\the_babysitter@atdmt[2].txt

Trojan.Unclassified-Packed/Suspicious
C:\WINDOWS\SYSTEM32\B4FM.DLL

Start a new thread

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > trojan.wimad on vista: whats it doing?

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team

© 1999-2009 by AfterDawn Ltd.