Tech Support Forum - View Single Post

chris shorb · 06-19-2008, 09:08 AM

Hi Ried -

I hope you guys aren't getting too rained out out there...

Here's my Combofix log, then followed by my Hijack this log seperated by a bunch of asterisks.

Thank you again!

ComboFix 08-06-16.5 - team shorbn 2008-06-19 7:43:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256 [GMT -7:00]
Running from: C:\Documents and Settings\team shorbn\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\team shorbn\g2mdlhlpx.exe
C:\Program Files\web buying
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\a13
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\e2
C:\WINDOWS\system32\g1
C:\WINDOWS\system32\i8
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\x22
C:\WINDOWS\system32\y2
C:\WINDOWS\system32\y2\taz28fl.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_sysrest.sys
-------\Service_TnIDriver

((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-13 17:04 . 2008-06-13 17:04 <DIR> d-------- C:\Deckard
2008-06-13 16:54 . 2008-06-13 16:54 <DIR> d-------- C:\ie-spyad_zo
2008-06-13 16:49 . 2008-06-13 16:51 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-13 16:49 . 2008-06-13 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 16:39 . 2008-06-13 17:26 <DIR> d-------- C:\Program Files\Panda Security
2008-06-13 15:25 . 2008-06-13 15:12 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-13 15:12 . 2008-06-13 15:38 <DIR> d-------- C:\Documents and Settings\team shorbn\.housecall6.6
2008-06-13 11:24 . 2008-06-19 06:44 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-06-13 11:22 . 2008-06-19 06:44 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-06-12 07:27 . 2008-06-19 07:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-12 07:27 . 2008-06-12 07:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-11 07:50 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:50 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-20 18:02 . 2008-05-20 18:02 <DIR> d-------- C:\Program Files\Common Files\WexTech Shared
2008-05-20 18:02 . 2008-05-20 18:02 <DIR> d-------- C:\Program Files\Common Files\LHSPF
2008-05-20 18:02 . 2000-05-02 10:03 225,280 --a------ C:\WINDOWS\system32\AWRTL30.DLL
2008-05-20 18:02 . 1998-08-04 11:22 111,616 --a------ C:\WINDOWS\system32\LTIH30TB.DLL
2008-05-20 18:02 . 2000-10-20 01:05 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-18 23:34 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-13 22:55 --------- d-----w C:\Program Files\Trend Micro
2008-06-02 20:00 --------- d-----w C:\Documents and Settings\team shorbn\Application Data\AdobeUM
2008-05-27 21:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-21 01:03 155,995 ----a-w C:\WINDOWS\java\Packages\1VHVZBJH.ZIP
2008-05-21 01:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 01:02 --------- d-----w C:\Program Files\Intuit
2008-05-12 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-02 23:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 23:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 23:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-04-24 05:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-13 04:44 73,216 ----a-w C:\WINDOWS\ODEUNST.EXE
2008-04-13 04:44 266,240 ------w C:\WINDOWS\Setup1.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 16:15 321040]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 02:48 761947]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 07:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 07:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 07:45 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 13:08 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-01-09 09:33 417792 C:\WINDOWS\stsystra.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 18:15 290816]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12 98304]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 13:57 57344]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 13:36 107008]
"ShowLOMControl"="" []
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 04:20 503808]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 14:02 1807960]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-12 18:12 185632]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"IntuitUpdater"="C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdater.exe" [2007-08-15 12:59 38176]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-13 09:50:18 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-05-08 05:07:47 156784]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-08 05:03:24 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-11-28 14:52:14 124912]
NETGEAR ProSafe VPN Client.lnk - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe [2007-08-27 10:48:52 57396]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe [2008-05-20 18:02:43 315392]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36 806912]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 20:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NETGEAR\\NETGEAR ProSafe VPN Client\\Vpn.exe"=
"C:\\Program Files\\NETGEAR\\NETGEAR ProSafe VPN Client\\ViewLog.exe"=
"C:\\Program Files\\NETGEAR\\NETGEAR ProSafe VPN Client\\CmonApp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SoftEssentials\\Vending Essentials\\rteng8.exe"=

R2 Crypto;Crypto;C:\WINDOWS\system32\drivers\Crypto.sys [2003-07-16 16:31]
R2 Intuit Entitlement Service v5;Intuit Entitlement Service v5;"C:\Program Files\Common Files\Intuit\Entitlement Client\v5\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe" [2007-06-20 17:55]
R2 IntuitUpdateService;Intuit Update Service;"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [2007-08-15 12:59]
R2 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\system32\Drivers\IPSECDRV.sys [2003-08-20 14:39]
R2 QBPOSDBServiceV7;QBPOS Database Manager v7;"C:\Program Files\Intuit\QuickBooks Point of Sale 7.0\DatabaseServer\QBPOSDBServiceV7.exe" [2007-09-13 17:13]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\system32\DRIVERS\vap.sys [2001-12-14 15:26]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-16 18:54:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 07:49:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\MLANG.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 7.0\DatabaseServer\QBDBMgrN.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-19 7:57:16 - machine was rebooted [team shorbn]
ComboFix-quarantined-files.txt 2008-06-19 14:57:12

Pre-Run: 10,711,326,720 bytes free
Post-Run: 10,905,743,360 bytes free

200 --- E O F --- 2008-06-11 16:58:42

***************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8

53 AM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v5\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdater.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IntuitUpdater] "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdater.exe" /command startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-606040875-4046201882-111989557-1007\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe (User 'QBPOSDBSrvUser')
O4 - HKUS\S-1-5-21-606040875-4046201882-111989557-1007\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'QBPOSDBSrvUser')
O4 - HKUS\S-1-5-21-606040875-4046201882-111989557-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'QBPOSDBSrvUser')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NETGEAR ProSafe VPN Client.lnk = C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160542559515
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.7.cab
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Entitlement Service v5 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v5\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: QBPOS Database Manager v7 (QBPOSDBServiceV7) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 7.0\DatabaseServer\QBPOSDBServiceV7.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12739 bytes

best -

chris

06-19-2008, 09:08 AM	#6 (permalink)
chris shorb Registered User Join Date: Jun 2008 Posts: 22 OS: xp	Re: adware.w32.spyshredder Hi Ried - I hope you guys aren't getting too rained out out there... Here's my Combofix log, then followed by my Hijack this log seperated by a bunch of asterisks. Thank you again! ComboFix 08-06-16.5 - team shorbn 2008-06-19 7:43:03.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256 [GMT -7:00] Running from: C:\Documents and Settings\team shorbn\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\team shorbn\g2mdlhlpx.exe C:\Program Files\web buying C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\WINDOWS\system32\a13 C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\ctfmona.exe C:\WINDOWS\system32\e2 C:\WINDOWS\system32\g1 C:\WINDOWS\system32\i8 C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\sysrest32.exe C:\WINDOWS\system32\x22 C:\WINDOWS\system32\y2 C:\WINDOWS\system32\y2\taz28fl.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_sysrest.sys -------\Service_TnIDriver ((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 ))))))))))))))))))))))))))))))) . 2008-06-13 17:04 . 2008-06-13 17:04 <DIR> d-------- C:\Deckard 2008-06-13 16:54 . 2008-06-13 16:54 <DIR> d-------- C:\ie-spyad_zo 2008-06-13 16:49 . 2008-06-13 16:51 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-13 16:49 . 2008-06-13 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-13 16:39 . 2008-06-13 17:26 <DIR> d-------- C:\Program Files\Panda Security 2008-06-13 15:25 . 2008-06-13 15:12 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2008-06-13 15:12 . 2008-06-13 15:38 <DIR> d-------- C:\Documents and Settings\team shorbn\.housecall6.6 2008-06-13 11:24 . 2008-06-19 06:44 160,256 --a------ C:\WINDOWS\system32\blackster.scr 2008-06-13 11:22 . 2008-06-19 06:44 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp 2008-06-12 07:27 . 2008-06-19 07:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-12 07:27 . 2008-06-12 07:27 1,409 --a------ C:\WINDOWS\QTFont.for 2008-06-11 07:50 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 07:50 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-05-20 18:02 . 2008-05-20 18:02 <DIR> d-------- C:\Program Files\Common Files\WexTech Shared 2008-05-20 18:02 . 2008-05-20 18:02 <DIR> d-------- C:\Program Files\Common Files\LHSPF 2008-05-20 18:02 . 2000-05-02 10:03 225,280 --a------ C:\WINDOWS\system32\AWRTL30.DLL 2008-05-20 18:02 . 1998-08-04 11:22 111,616 --a------ C:\WINDOWS\system32\LTIH30TB.DLL 2008-05-20 18:02 . 2000-10-20 01:05 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-19 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-06-18 23:34 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-06-13 22:55 --------- d-----w C:\Program Files\Trend Micro 2008-06-02 20:00 --------- d-----w C:\Documents and Settings\team shorbn\Application Data\AdobeUM 2008-05-27 21:30 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-21 01:03 155,995 ----a-w C:\WINDOWS\java\Packages\1VHVZBJH.ZIP 2008-05-21 01:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-21 01:02 --------- d-----w C:\Program Files\Intuit 2008-05-12 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2008-05-02 23:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2008-05-02 23:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2008-05-02 23:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys 2008-04-24 05:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-04-13 04:44 73,216 ----a-w C:\WINDOWS\ODEUNST.EXE 2008-04-13 04:44 266,240 ------w C:\WINDOWS\Setup1.exe 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784] "OE_OEM"="C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 16:15 321040] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 02:48 761947] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 07:44 98304] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 07:41 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 07:45 118784] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 13:08 1347584] "SigmatelSysTrayApp"="stsystra.exe" [2006-01-09 09:33 417792 C:\WINDOWS\stsystra.exe] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 18:15 290816] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12 98304] "CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 13:57 57344] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920] "eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 13:36 107008] "ShowLOMControl"="" [] "Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 04:20 503808] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328] "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 14:02 1807960] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-12 18:12 185632] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384] "IntuitUpdater"="C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdater.exe" [2007-08-15 12:59 38176] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544] "sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-13 09:50:18 110592] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696] America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-05-08 05:07:47 156784] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-08 05:03:24 24576] Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-11-28 14:52:14 124912] NETGEAR ProSafe VPN Client.lnk - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe [2007-08-27 10:48:52 57396] QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe [2008-05-20 18:02:43 315392] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36 806912] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 20:07:32 81920] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "C:\\Program Files\\America Online 9.0\\waol.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\NETGEAR\\NETGEAR ProSafe VPN Client\\Vpn.exe"= "C:\\Program Files\\NETGEAR\\NETGEAR ProSafe VPN Client\\ViewLog.exe"= "C:\\Program Files\\NETGEAR\\NETGEAR ProSafe VPN Client\\CmonApp.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\SoftEssentials\\Vending Essentials\\rteng8.exe"= R2 Crypto;Crypto;C:\WINDOWS\system32\drivers\Crypto.sys [2003-07-16 16:31] R2 Intuit Entitlement Service v5;Intuit Entitlement Service v5;"C:\Program Files\Common Files\Intuit\Entitlement Client\v5\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe" [2007-06-20 17:55] R2 IntuitUpdateService;Intuit Update Service;"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [2007-08-15 12:59] R2 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\system32\Drivers\IPSECDRV.sys [2003-08-20 14:39] R2 QBPOSDBServiceV7;QBPOS Database Manager v7;"C:\Program Files\Intuit\QuickBooks Point of Sale 7.0\DatabaseServer\QBPOSDBServiceV7.exe" [2007-09-13 17:13] R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23] R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\system32\DRIVERS\vap.sys [2001-12-14 15:26] S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01] . Contents of the 'Scheduled Tasks' folder "2008-06-16 18:54:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-19 07:49:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> ?:\WINDOWS\system32\MLANG.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe C:\WINDOWS\system32\WLTRYSVC.EXE C:\WINDOWS\system32\BCMWLTRY.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe C:\Program Files\Intuit\QuickBooks Point of Sale 7.0\DatabaseServer\QBDBMgrN.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\iPod\bin\iPodService.exe . ********************************************************************** . Completion time: 2008-06-19 7:57:16 - machine was rebooted [team shorbn] ComboFix-quarantined-files.txt 2008-06-19 14:57:12 Pre-Run: 10,711,326,720 bytes free Post-Run: 10,905,743,360 bytes free 200 --- E O F --- 2008-06-11 16:58:42 ************************************************* Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 853 AM, on 6/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Intuit\Entitlement Client\v5\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Creative\Mixer\CTSVolFE.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdater.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [ShowLOMControl] O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [IntuitUpdater] "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdater.exe" /command startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-21-606040875-4046201882-111989557-1007\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe (User 'QBPOSDBSrvUser') O4 - HKUS\S-1-5-21-606040875-4046201882-111989557-1007\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'QBPOSDBSrvUser') O4 - HKUS\S-1-5-21-606040875-4046201882-111989557-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'QBPOSDBSrvUser') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: NETGEAR ProSafe VPN Client.lnk = C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160542559515 O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.7.cab O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intuit Entitlement Service v5 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v5\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe O23 - Service: QBPOS Database Manager v7 (QBPOSDBServiceV7) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 7.0\DatabaseServer\QBPOSDBServiceV7.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 12739 bytes best - chris