Thread: Help needed in the removal of Trojan.Lmir.boy and Downloader.IFrame.ay infection
View Single Post
Old 12-07-2007, 08:05 PM   #6 (permalink)
siriushaha
Registered User
 
siriushaha's Avatar
 
Join Date: Apr 2005
Location: San Francisco Bay Area, CA
Posts: 10
OS: Windows 2000 Pro


Send a message via Yahoo to siriushaha
Re: Help needed in the removal of Trojan.Lmir.boy and Downloader.IFrame.ay infection
Dear Ried,

Here is DSS log for your review as follows:

Deckard's System Scanner v20071014.68
Run by dha on 2007-12-07 18:57:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as dha.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:48 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\berkleemusic\Digidesign\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlservr.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\M-Audio\Ozone\Install\ozinst.exe
C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Maxtor\MSS Backup\maxbackservice.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Maxtor\ManagerApp\msssort.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\berkleemusic\NTONYX\MIDI Matrix\MidiMtrx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\DOCUME~1\dha\LOCALS~1\Temp\AutoDetect.exe
E:\ceedo\Ceedo\Ceedo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dha\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\dha.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: optionsXpress Toolbar - {63CC63C6-1AE1-491C-B96A-812A7950A1EC} - C:\Program Files\optionsXpress\optionsXpress Toolbar\optionsXpressToolbar.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - e:\ceedo\WORKSP~1\ZENDST~1\toolbars\ZENDIE~1.DLL
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [pdfw] C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gizmo Project] "C:\Program Files\Gizmo Project\Gizmo.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\berkleemusic\Digidesign\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MaxBackSchedule] "C:\Program Files\Maxtor\MSS Backup\maxbackservice.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mssSort] "C:\Program Files\Maxtor\ManagerApp\msssort.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ceedo AutoDetect] C:\DOCUME~1\dha\LOCALS~1\Temp\AutoDetect.exe /active
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\RunOnce: [Ceedo Repair] C:\DOCUME~1\dha\LOCALS~1\Temp\AutoDetect.exe /repair /drive=E /name=Ceedo
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MIDI Matrix.lnk = C:\berkleemusic\NTONYX\MIDI Matrix\MidiMtrx.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Zend Studio - Debug current page - res://e:\ceedo\workspace\ZendStudio\toolbars\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://e:\ceedo\workspace\ZendStudio\toolbars\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - e:\ceedo\WORKSP~1\ZENDST~1\toolbars\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - e:\ceedo\WORKSP~1\ZENDST~1\toolbars\ZENDIE~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c9...49/qboax10.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {C29A0936-5E0D-4C8E-BCE4-A106B75E037B} (MyDropTarget Class) - http://www.zude.com/DropTarget.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://zend.webex.com/client/T25L/event/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9C229A1-F84B-4CE5-AEB1-8D55BBE6418E}: NameServer = 206.13.28.12,151.164.1.8
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\berkleemusic\Digidesign\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\berkleemusic\Digidesign\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: EnterpriseDB Postgres 8.2 - Server (edb-pg-8.2) - PostgreSQL Global Development Group - E:\ceedo\Program Files\EnterpriseDB Postgres\8.2\bin\pg_ctl.exe
O23 - Service: EnterpriseDB Postgres 8.2 - Replication (edb-pg-8.2-replication) - PostgreSQL Global Development Group - E:\ceedo\Program Files\EnterpriseDB Postgres\8.2\bin\slon.exe
O23 - Service: EnterpriseDB Postgres 8.2 - Scheduler (edb-pg-8.2-scheduler) - Unknown owner - E:\ceedo\Program Files\EnterpriseDB Postgres\8.2\bin\pgAgent.exe
O23 - Service: EncompassServer - - c:\workspace\encompass\encompassserver.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: M-Audio Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio\Ozone\Install\ozinst.exe
O23 - Service: Pantech&Curitel Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 19201 bytes

-- Files created between 2007-11-07 and 2007-12-07 -----------------------------

2007-12-06 22:26:05 12669 --ah----- C:\auto.exe
2007-12-05 18:37:20 0 d-------- C:\WINDOWS\system32\junk
2007-12-05 18:28:59 0 d-------- C:\WINDOWS\junk
2007-12-05 18:26:29 0 d-------- C:\junk
2007-12-04 23:12:53 0 d-------- C:\Program Files\Trend Micro
2007-12-04 21:45:59 0 d-------- C:\Program Files\SpywareBlaster
2007-12-04 13:20:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 07:12:50 0 d-------- C:\Documents and Settings\dan\Application Data\Maxtor Quick Start
2007-12-03 20:19:59 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-03 19:35:47 0 d-------- C:\Program Files\ShellExView
2007-12-01 16:12:54 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-01 10:05:28 0 d-------- C:\Program Files\BitTorrent
2007-11-30 15:25:51 0 d-------- C:\Documents and Settings\dha\.netbeans-derby
2007-11-30 15:25:27 0 d-------- C:\Documents and Settings\dha\.netbeans
2007-11-30 14:14:15 0 d-------- C:\Documents and Settings\dha\.nbi
2007-11-15 13:25:32 0 d-------- C:\KA
2007-11-13 1543 0 d-------- C:\Program Files\iPod
2007-11-13 1539 0 d-------- C:\Program Files\iTunes
2007-11-13 15:04:59 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-11-13 15:04:33 0 d-------- C:\Program Files\Common Files\Apple
2007-11-09 16:37:03 0 d-------- C:\Program Files\Apple Software Update
2007-11-09 16:37:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2007-12-05 20:02:33 0 d-------- C:\Program Files\IBM fingerprint software
2007-12-05 20:02:32 0 d-------- C:\Program Files\Common Files\Virtual Token
2007-12-05 20:01:16 0 d-------- C:\Program Files\Network Print Monitor
2007-12-05 19:59:20 0 d-------- C:\Program Files\Messenger
2007-12-05 19:59:18 0 d-------- C:\Program Files\Linksys EasyLink Advisor
2007-12-05 19:59:13 0 d-------- C:\Program Files\Digital Line Detect
2007-12-05 19:59:10 0 d-------- C:\Program Files\No-IP
2007-12-05 19:59:08 0 d-------- C:\Program Files\Google
2007-12-01 16:12:51 0 d-------- C:\Documents and Settings\dha\Application Data\Mozilla
2007-11-13 15:04:33 0 d-------- C:\Program Files\Common Files
2007-11-09 16:39:35 0 d-------- C:\Program Files\QuickTime
2007-11-02 18:45:58 0 d-------- C:\Program Files\Microsoft.NET
2007-10-27 07:07:38 48168 --a------ C:\Documents and Settings\dha\Application Data\GDIPFONTCACHEV1.DAT
2007-10-20 18:58:38 1140 --a------ C:\WINDOWS\mozver.dat
2007-10-17 14:24:41 0 d-------- C:\Program Files\Zend
2007-10-17 08:22:32 0 d-------- C:\Documents and Settings\dha\Application Data\WebEx
2007-10-17 08:07:55 202826 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing>
2007-10-13 20:04:48 0 d-------- C:\Documents and Settings\dha\Application Data\Gtek
2007-10-10 15:04:35 0 d-------- C:\Program Files\McAfee


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [10/11/2001 11:32 PM C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [06/16/2004 10:53 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/16/2004 10:53 AM]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [02/04/2004 06:39 PM]
"TpShocks"="TpShocks.exe" [03/26/2004 06:16 PM C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [03/03/2005 05:10 PM]
"ControlCenter"="C:\Program Files\IBM fingerprint software\ctlcntr.exe" [09/24/2004 04:11 PM]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [12/25/2003 02:04 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/25/2004 12:52 PM]
"FRYMXINS"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" []
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [07/14/2004 04:34 PM]
"UC_SMB"="" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 01:01 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [09/02/2004 01:05 AM]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [07/22/2004 02:01 AM]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [03/19/2004 12:12 PM]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [03/18/2005 03:07 AM]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [07/29/2004 01:37 AM]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [07/29/2004 01:37 AM]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [07/29/2004 01:37 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/03/2005 11:54 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [04/01/2004 10:52 AM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [03/26/2004 02:40 PM]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [08/06/2003 04:08 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 02:43 AM]
"pdfw"="C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe" [03/24/2004 11:56 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 08:16 PM]
"Gizmo Project"="C:\Program Files\Gizmo Project\Gizmo.exe" [06/15/2007 02:00 PM]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [10/18/2005 09:00 AM]
"DigidesignMMERefresh"="C:\berkleemusic\Digidesign\Digidesign\Drivers\MMERefresh.exe" [10/25/2005 10:21 PM]
"MAFWTaskbarApp"="C:\WINDOWS\system32\MAFWTray.exe" [09/20/2005 05:17 PM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [09/07/2006 09:19 AM]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [01/12/2007 04:45 PM]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [01/18/2007 12:20 PM]
"@"="" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/04/2007 01:33 AM]
"MaxBackSchedule"="C:\Program Files\Maxtor\MSS Backup\maxbackservice.exe" [06/15/2006 11:21 AM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [06/05/2006 12:00 PM]
"mssSort"="C:\Program Files\Maxtor\ManagerApp\msssort.exe" [05/25/2006 12:41 PM]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [03/18/2005 03:07 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [12/04/2007 01:07 PM]
"TP4EX"="tp4ex.exe" [09/04/2002 01:05 AM C:\WINDOWS\system32\TP4EX.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [07/22/2004 02:01 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [06/11/2007 05:16 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 08:24 AM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 01:22 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/30/2007 10:24 AM]
"Ceedo AutoDetect"="C:\DOCUME~1\dha\LOCALS~1\Temp\AutoDetect.exe" [03/12/2007 10:50 PM]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [03/15/2007 05:16 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]
"HijackThis startup scan"="C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" [12/04/2007 11:12 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Ceedo Repair"=C:\DOCUME~1\dha\LOCALS~1\Temp\AutoDetect.exe /repair /drive=E /name=Ceedo

C:\Documents and Settings\dha\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [9/29/2007 3:08:11 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [11/14/2005 10:50:53 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
MIDI Matrix.lnk - C:\berkleemusic\NTONYX\MIDI Matrix\MidiMtrx.exe [2/5/2006 9:37:55 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 4:23:32 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 01/12/2007 04:45 PM 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Program Files\IBM fingerprint software\psfus.dll 09/24/2004 04:15 PM 108636 C:\Program Files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 03/18/2005 03:07 AM 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 08/12/2004 08:11 PM 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli pwdmon

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
Auto\command- E:\auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{102cda09-5846-11dc-aec0-000fb39c6ce7}]
Auto\command- auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8ffcb80-7a16-11da-abb4-0013ce12d19a}]
AutoRun\command- E:\JDSecure\Windows\JDSecure20.exe




-- End of Deckard's System Scanner: finished at 2007-12-07 18:59:55 ------------

Thanks.

Dan
siriushaha is offline