Tech Support Forum - View Single Post - trojan 135.exe attacking windows explorer

rlm4040 · 09-09-2008, 08:19 PM

Hello sjb007,
Thank you so much for your help. I hope that now I am clean.

ComboFix 08-09-05.09 - RLM 2008-09-09 18:29:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.191 [GMT -6:00]
Running from: C:\Documents and Settings\RLM\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RLM\Desktop\CFScript.txt
* Created a new restore point
.

Other Deletions
.

E:\Autorun.inf

.
Drivers/Services
.

-------\Legacy_WINDOWS_SYSTEM2007_A11101
-------\Service_Windows_system2007_a11101

Files Created from 2008-08-10 to 2008-09-10
.

2008-09-08 21:36 . 2008-09-08 21:36 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\AdobeUM
2008-09-08 09:46 . 2008-09-08 09:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 14:30 . 2008-09-07 14:30 <DIR> d-------- C:\Program Files\iPod
2008-09-07 14:30 . 2008-09-07 14:30 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\Apple Computer
2008-09-07 14:29 . 2008-09-07 14:30 <DIR> d-------- C:\Program Files\iTunes
2008-09-07 14:29 . 2008-09-07 14:29 <DIR> d-------- C:\Program Files\Bonjour
2008-09-07 14:28 . 2008-09-07 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-07 14:27 . 2008-09-07 14:27 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-07 14:26 . 2008-09-07 14:26 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-07 14:26 . 2008-09-07 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-09-07 13:03 . 2008-09-07 14:29 <DIR> d-------- C:\Program Files\QuickTime
2008-09-05 18:22 . 2008-09-05 18:22 <DIR> d-------- C:\Program Files\Avira
2008-09-05 18:22 . 2008-09-05 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-03 21:11 . 2008-04-13 18:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-09-03 21:11 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-03 21:11 . 2008-04-13 12:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-09-03 21:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-09-03 18:55 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-09-03 18:55 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-09-03 18:55 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-09-03 18:55 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-09-03 18:55 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-09-03 18:55 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-09-03 18:55 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-09-03 18:55 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-09-03 18:30 . 2008-09-03 18:30 <DIR> d-------- C:\Program Files\Hp
2008-08-31 21:23 . 2008-08-31 21:23 <DIR> d-------- C:\Program Files\Netflix
2008-08-31 16:38 . 2008-09-08 08:54 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-30 12:46 . 2008-08-30 12:46 169 --a------ C:\WINDOWS\RtlRack.ini
2008-08-30 12:38 . 2008-08-30 12:38 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-08-30 12:38 . 2008-08-30 12:38 <DIR> d-------- C:\Program Files\AvRack
2008-08-30 12:38 . 2001-07-05 10:19 164 --------- C:\WINDOWS\avrack.ini
2008-08-30 12:37 . 2008-08-30 12:37 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-30 12:36 . 2008-08-30 12:36 <DIR> d-------- C:\Program Files\Synaptics
2008-08-30 12:36 . 2004-10-08 00:33 185,824 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-08-30 12:36 . 2004-10-08 00:36 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-08-30 12:36 . 2004-10-08 00:36 90,202 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-08-30 12:36 . 2004-10-08 00:46 81,920 --a------ C:\WINDOWS\system32\SynTPCo2.dll
2008-08-30 12:36 . 2004-10-08 00:35 77,917 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-08-30 12:36 . 2004-10-08 00:44 69,722 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-08-30 05:27 . 2008-08-30 05:27 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\Leadertech
2008-08-30 05:04 . 2008-08-30 05:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-08-30 05:04 . 2008-08-30 05:02 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2008-08-30 05:03 . 2008-08-30 05:27 <DIR> d-------- C:\Program Files\palmOne
2008-08-30 05:02 . 2008-09-03 18:29 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-08-30 05:02 . 2008-08-30 05:02 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\HotSync
2008-08-27 17:22 . 2008-08-30 18:13 395 --a------ C:\WINDOWS\system\CMCNFG2.INI
2008-08-27 06:55 . 2008-08-27 06:55 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-26 19:58 . 2008-08-26 19:58 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-26 19:56 . 2008-09-08 18:03 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-26 19:48 . 2008-08-27 06:43 <DIR> d-------- C:\Program Files\NOS
2008-08-26 19:48 . 2008-08-27 06:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-08-26 19:02 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-26 19:02 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-26 19:02 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-25 20:47 . 2008-08-25 20:47 <DIR> d-------- C:\Documents and Settings\RLM\Contacts
2008-08-25 20:46 . 2008-09-07 14:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-25 20:32 . 2008-08-25 20:54 <DIR> d-------- C:\Program Files\Windows Live
2008-08-25 20:32 . 2008-08-25 20:43 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-25 20:31 . 2008-08-25 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-25 20:00 . 2008-08-25 20:26 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\OfficeUpdate12
2008-08-25 19:58 . 2008-08-25 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-25 19:57 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-08-25 19:57 . 2008-08-25 19:57 376 --a------ C:\WINDOWS\ODBC.INI
2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-08-25 19:51 . 2008-08-25 19:51 <DIR> dr-h----- C:\MSOCache
2008-08-25 17:35 . 2008-08-25 17:42 <DIR> d-------- C:\Program Files\Microsoft Money 2005
2008-08-25 17:28 . 2008-08-30 05:02 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-08-25 17:27 . 2004-12-21 11:32 369,024 --------- C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-08-25 17:23 . 2008-08-30 12:37 6 --a------ C:\ISACER.ID
2008-08-25 17:18 . 2008-04-13 13:19 146,048 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-08-25 12:42 . 2008-08-25 12:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-25 12:42 . 2008-08-25 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-25 12:42 . 2005-04-15 20:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-08-25 12:42 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-08-25 12:13 . 2008-08-25 12:13 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-25 12:12 . 2008-08-25 12:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-25 12:12 . 2008-08-25 12:12 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-25 12:11 . 2008-07-22 08:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-25 12:11 . 2008-07-22 08:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-25 12:11 . 2008-07-22 08:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-08-25 11:46 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-25 11:46 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-25 11:46 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-25 11:29 . 2006-10-18 21:47 991,744 -----c--- C:\WINDOWS\system32\dllcache\drmv2clt.dll
2008-08-25 11:28 . 2008-04-13 18:11 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-08-25 11:28 . 2008-04-13 18:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-08-25 11:28 . 2006-10-18 21:47 7,168 -----c--- C:\WINDOWS\system32\dllcache\asferror.dll
2008-08-25 11:22 . 2008-06-13 05:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-25 11:14 . 2008-05-01 08:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-25 11:14 . 2008-05-08 08:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-25 10:59 . 2008-08-25 11:54 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-08-25 10:58 . 2008-08-25 10:58 <DIR> d-------- C:\WINDOWS\provisioning
2008-08-25 10:58 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\peernet
2008-08-25 10:56 . 2008-08-25 10:56 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-25 10:49 . 2008-08-25 11:35 <DIR> d-------- C:\WINDOWS\EHome
2008-08-25 10:45 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-08-25 10:45 . 2008-04-14 05:42 11,264 --------- C:\WINDOWS\system32\spnpinst.exe
2008-08-25 10:45 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-08-25 10:45 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-08-25 10:33 . 2008-08-25 10:33 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-08-25 10:33 . 2008-08-26 22:44 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-25 10:33 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-25 10:32 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-25 10:31 . 2008-04-13 11:39 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-08-25 10:31 . 2008-04-13 18:12 354,304 --a------ C:\WINDOWS\system32\winhttp.dll
2008-08-25 10:31 . 2008-04-13 18:12 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-08-25 10:31 . 2008-04-13 18:11 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-08-25 10:31 . 2008-04-13 18:11 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-08-25 10:13 . 2008-09-08 21:37 <DIR> d--hs---- C:\WINDOWS\Installer
2008-08-25 10:12 . 2008-09-09 18:15 <DIR> d-------- C:\Documents and Settings\RLM
2008-08-25 10:10 . 2008-08-25 10:10 13,688 --a------ C:\WINDOWS\system32\wpa.bak
2008-08-25 10:07 . 2008-08-25 10:07 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-08-25 10:07 . 2008-08-25 11:05 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-08-25 10:06 . 2008-08-25 10:06 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-08-25 10:04 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_regtrace.exe
2008-08-25 10:04 . 2003-03-31 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\quser.exe
2008-08-25 10:04 . 2003-03-31 06:00 14,848 --a--c--- C:\WINDOWS\system32\dllcache\register.exe
2008-08-25 10:02 . 2003-03-31 06:00 131,584 --a--c--- C:\WINDOWS\system32\dllcache\pmxviceo.dll
2008-08-25 10:02 . 2003-03-31 06:00 11,264 --a--c--- C:\WINDOWS\system32\dllcache\pmxmcro.dll
2008-08-25 10:02 . 2003-03-31 06:00 9,728 --a--c--- C:\WINDOWS\system32\dllcache\query.exe
2008-08-25 10:02 . 2003-03-31 06:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\pmxgl.dll

.
Find3M Report
.
2008-08-30 11:02 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-08-25 23:29 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-25 15:36 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-21 18:52 524,288 ----a-w C:\WINDOWS\opuc.dll
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-27 13:19 1,571,001 ----a-w C:\WINDOWS\system32\sisgl.dll
2008-06-27 13:02 3,467,264 ----a-w C:\WINDOWS\system32\sisgrv.dll
2008-06-27 12:54 9,728 ----a-w C:\WINDOWS\system32\SiSPIns2.dll
2008-06-27 12:53 49,152 ----a-w C:\WINDOWS\system32\SiSBase.dll
2008-06-27 12:53 258,048 ----a-w C:\WINDOWS\system32\SiSParse.dll
2008-06-27 12:53 172,032 ----a-w C:\WINDOWS\system32\SiSInst.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

snapshot@2008-09-08_ 9.37.01.54
.
+ 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
Reg Loading Points.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [X]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-07 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 471040]

[HKLM\~\startupfolder\C:^Documents and Settings^RLM^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\RLM\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 cmuda2;C-Media USB Audio Interface;C:\WINDOWS\system32\drivers\cmuda2.sys [2004-01-06 705536]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 18:34:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-09 18:38:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-10 00:38:00
ComboFix2.txt 2008-09-08 15:37:25

Pre-Run: 25,750,130,688 bytes free
Post-Run: 25,694,490,624 bytes free

235 --- E O F --- 2008-09-05 23:54:24

Forgot to save the Kaspersky log, but it didn't find any threats.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:09 PM, on 09/09/08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1219680942680
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1219841271531
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7660 bytes

09-09-2008, 08:19 PM	#7 (permalink)
rlm4040 Registered User Join Date: Jun 2005 Location: Utah Posts: 45 OS: Windows XP SP3	Re: trojan 135.exe attacking windows explorer Hello sjb007, Thank you so much for your help. I hope that now I am clean. ComboFix 08-09-05.09 - RLM 2008-09-09 18:29:19.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.191 [GMT -6:00] Running from: C:\Documents and Settings\RLM\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\RLM\Desktop\CFScript.txt * Created a new restore point . Other Deletions . E:\Autorun.inf . Drivers/Services . -------\Legacy_WINDOWS_SYSTEM2007_A11101 -------\Service_Windows_system2007_a11101 Files Created from 2008-08-10 to 2008-09-10 . 2008-09-08 21:36 . 2008-09-08 21:36 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\AdobeUM 2008-09-08 09:46 . 2008-09-08 09:46 <DIR> d-------- C:\Program Files\Trend Micro 2008-09-07 14:30 . 2008-09-07 14:30 <DIR> d-------- C:\Program Files\iPod 2008-09-07 14:30 . 2008-09-07 14:30 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\Apple Computer 2008-09-07 14:29 . 2008-09-07 14:30 <DIR> d-------- C:\Program Files\iTunes 2008-09-07 14:29 . 2008-09-07 14:29 <DIR> d-------- C:\Program Files\Bonjour 2008-09-07 14:28 . 2008-09-07 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-09-07 14:27 . 2008-09-07 14:27 <DIR> d-------- C:\Program Files\Apple Software Update 2008-09-07 14:26 . 2008-09-07 14:26 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-09-07 14:26 . 2008-09-07 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-09-07 13:03 . 2008-09-07 14:29 <DIR> d-------- C:\Program Files\QuickTime 2008-09-05 18:22 . 2008-09-05 18:22 <DIR> d-------- C:\Program Files\Avira 2008-09-05 18:22 . 2008-09-05 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-09-03 21:11 . 2008-04-13 18:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll 2008-09-03 21:11 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2008-09-03 21:11 . 2008-04-13 12:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys 2008-09-03 21:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2008-09-03 18:55 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll 2008-09-03 18:55 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll 2008-09-03 18:55 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll 2008-09-03 18:55 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll 2008-09-03 18:55 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll 2008-09-03 18:55 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll 2008-09-03 18:55 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll 2008-09-03 18:55 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll 2008-09-03 18:30 . 2008-09-03 18:30 <DIR> d-------- C:\Program Files\Hp 2008-08-31 21:23 . 2008-08-31 21:23 <DIR> d-------- C:\Program Files\Netflix 2008-08-31 16:38 . 2008-09-08 08:54 <DIR> d-------- C:\Program Files\CleanUp! 2008-08-30 12:46 . 2008-08-30 12:46 169 --a------ C:\WINDOWS\RtlRack.ini 2008-08-30 12:38 . 2008-08-30 12:38 <DIR> d-------- C:\Program Files\Realtek Sound Manager 2008-08-30 12:38 . 2008-08-30 12:38 <DIR> d-------- C:\Program Files\AvRack 2008-08-30 12:38 . 2001-07-05 10:19 164 --------- C:\WINDOWS\avrack.ini 2008-08-30 12:37 . 2008-08-30 12:37 <DIR> d--h----- C:\Program Files\InstallShield Installation Information 2008-08-30 12:36 . 2008-08-30 12:36 <DIR> d-------- C:\Program Files\Synaptics 2008-08-30 12:36 . 2004-10-08 00:33 185,824 --a------ C:\WINDOWS\system32\drivers\SynTP.sys 2008-08-30 12:36 . 2004-10-08 00:36 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll 2008-08-30 12:36 . 2004-10-08 00:36 90,202 --a------ C:\WINDOWS\system32\SynTPAPI.dll 2008-08-30 12:36 . 2004-10-08 00:46 81,920 --a------ C:\WINDOWS\system32\SynTPCo2.dll 2008-08-30 12:36 . 2004-10-08 00:35 77,917 --a------ C:\WINDOWS\system32\SynCOM.dll 2008-08-30 12:36 . 2004-10-08 00:44 69,722 --a------ C:\WINDOWS\system32\SynTPFcs.dll 2008-08-30 05:27 . 2008-08-30 05:27 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\Leadertech 2008-08-30 05:04 . 2008-08-30 05:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync 2008-08-30 05:04 . 2008-08-30 05:02 53,248 --a------ C:\WINDOWS\PalmDevC.dll 2008-08-30 05:03 . 2008-08-30 05:27 <DIR> d-------- C:\Program Files\palmOne 2008-08-30 05:02 . 2008-09-03 18:29 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2008-08-30 05:02 . 2008-08-30 05:02 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\HotSync 2008-08-27 17:22 . 2008-08-30 18:13 395 --a------ C:\WINDOWS\system\CMCNFG2.INI 2008-08-27 06:55 . 2008-08-27 06:55 <DIR> d-------- C:\Program Files\Windows Defender 2008-08-26 19:58 . 2008-08-26 19:58 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR 2008-08-26 19:56 . 2008-09-08 18:03 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-08-26 19:48 . 2008-08-27 06:43 <DIR> d-------- C:\Program Files\NOS 2008-08-26 19:48 . 2008-08-27 06:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS 2008-08-26 19:02 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll 2008-08-26 19:02 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll 2008-08-26 19:02 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-08-25 20:47 . 2008-08-25 20:47 <DIR> d-------- C:\Documents and Settings\RLM\Contacts 2008-08-25 20:46 . 2008-09-07 14:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2008-08-25 20:32 . 2008-08-25 20:54 <DIR> d-------- C:\Program Files\Windows Live 2008-08-25 20:32 . 2008-08-25 20:43 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-08-25 20:31 . 2008-08-25 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-08-25 20:00 . 2008-08-25 20:26 <DIR> d-------- C:\Documents and Settings\RLM\Application Data\OfficeUpdate12 2008-08-25 19:58 . 2008-08-25 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-08-25 19:57 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll 2008-08-25 19:57 . 2008-08-25 19:57 376 --a------ C:\WINDOWS\ODBC.INI 2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2008-08-25 19:51 . 2008-08-25 19:51 <DIR> dr-h----- C:\MSOCache 2008-08-25 17:35 . 2008-08-25 17:42 <DIR> d-------- C:\Program Files\Microsoft Money 2005 2008-08-25 17:28 . 2008-08-30 05:02 <DIR> d-------- C:\Program Files\Common Files\InstallShield 2008-08-25 17:27 . 2004-12-21 11:32 369,024 --------- C:\WINDOWS\system32\drivers\BCMWL5.SYS 2008-08-25 17:23 . 2008-08-30 12:37 6 --a------ C:\ISACER.ID 2008-08-25 17:18 . 2008-04-13 13:19 146,048 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2008-08-25 12:42 . 2008-08-25 12:43 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-25 12:42 . 2008-08-25 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-25 12:42 . 2005-04-15 20:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX 2008-08-25 12:42 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-08-25 12:13 . 2008-08-25 12:13 <DIR> d-------- C:\Program Files\Windows Media Connect 2 2008-08-25 12:12 . 2008-08-25 12:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-08-25 12:12 . 2008-08-25 12:12 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2008-08-25 12:11 . 2008-07-22 08:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb 2008-08-25 12:11 . 2008-07-22 08:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb 2008-08-25 12:11 . 2008-07-22 08:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb 2008-08-25 11:46 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-08-25 11:46 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\system32\en 2008-08-25 11:46 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-25 11:29 . 2006-10-18 21:47 991,744 -----c--- C:\WINDOWS\system32\dllcache\drmv2clt.dll 2008-08-25 11:28 . 2008-04-13 18:11 233,472 --------- C:\WINDOWS\system32\azroles.dll 2008-08-25 11:28 . 2008-04-13 18:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll 2008-08-25 11:28 . 2006-10-18 21:47 7,168 -----c--- C:\WINDOWS\system32\dllcache\asferror.dll 2008-08-25 11:22 . 2008-06-13 05:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-08-25 11:14 . 2008-05-01 08:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-25 11:14 . 2008-05-08 08:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys 2008-08-25 10:59 . 2008-08-25 11:54 316,640 --a------ C:\WINDOWS\WMSysPr9.prx 2008-08-25 10:58 . 2008-08-25 10:58 <DIR> d-------- C:\WINDOWS\provisioning 2008-08-25 10:58 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\peernet 2008-08-25 10:56 . 2008-08-25 10:56 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-08-25 10:49 . 2008-08-25 11:35 <DIR> d-------- C:\WINDOWS\EHome 2008-08-25 10:45 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img 2008-08-25 10:45 . 2008-04-14 05:42 11,264 --------- C:\WINDOWS\system32\spnpinst.exe 2008-08-25 10:45 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig 2008-08-25 10:45 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat 2008-08-25 10:33 . 2008-08-25 10:33 <DIR> d---s---- C:\WINDOWS\system32\Microsoft 2008-08-25 10:33 . 2008-08-26 22:44 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-08-25 10:33 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-08-25 10:32 . 2008-08-25 11:46 <DIR> d-------- C:\WINDOWS\system32\bits 2008-08-25 10:31 . 2008-04-13 11:39 438,784 --------- C:\WINDOWS\system32\xpob2res.dll 2008-08-25 10:31 . 2008-04-13 18:12 354,304 --a------ C:\WINDOWS\system32\winhttp.dll 2008-08-25 10:31 . 2008-04-13 18:12 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll 2008-08-25 10:31 . 2008-04-13 18:11 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll 2008-08-25 10:31 . 2008-04-13 18:11 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll 2008-08-25 10:13 . 2008-09-08 21:37 <DIR> d--hs---- C:\WINDOWS\Installer 2008-08-25 10:12 . 2008-09-09 18:15 <DIR> d-------- C:\Documents and Settings\RLM 2008-08-25 10:10 . 2008-08-25 10:10 13,688 --a------ C:\WINDOWS\system32\wpa.bak 2008-08-25 10:07 . 2008-08-25 10:07 <DIR> d--hs---- C:\Documents and Settings\NetworkService 2008-08-25 10:07 . 2008-08-25 11:05 <DIR> d--hs---- C:\Documents and Settings\LocalService 2008-08-25 10:06 . 2008-08-25 10:06 8,192 --a------ C:\WINDOWS\REGLOCS.OLD 2008-08-25 10:04 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_regtrace.exe 2008-08-25 10:04 . 2003-03-31 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\quser.exe 2008-08-25 10:04 . 2003-03-31 06:00 14,848 --a--c--- C:\WINDOWS\system32\dllcache\register.exe 2008-08-25 10:02 . 2003-03-31 06:00 131,584 --a--c--- C:\WINDOWS\system32\dllcache\pmxviceo.dll 2008-08-25 10:02 . 2003-03-31 06:00 11,264 --a--c--- C:\WINDOWS\system32\dllcache\pmxmcro.dll 2008-08-25 10:02 . 2003-03-31 06:00 9,728 --a--c--- C:\WINDOWS\system32\dllcache\query.exe 2008-08-25 10:02 . 2003-03-31 06:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\pmxgl.dll . Find3M Report . 2008-08-30 11:02 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys 2008-08-25 23:29 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys 2008-08-25 15:36 --------- d-----w C:\Program Files\microsoft frontpage 2008-07-21 18:52 524,288 ----a-w C:\WINDOWS\opuc.dll 2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-27 13:19 1,571,001 ----a-w C:\WINDOWS\system32\sisgl.dll 2008-06-27 13:02 3,467,264 ----a-w C:\WINDOWS\system32\sisgrv.dll 2008-06-27 12:54 9,728 ----a-w C:\WINDOWS\system32\SiSPIns2.dll 2008-06-27 12:53 49,152 ----a-w C:\WINDOWS\system32\SiSBase.dll 2008-06-27 12:53 258,048 ----a-w C:\WINDOWS\system32\SiSParse.dll 2008-06-27 12:53 172,032 ----a-w C:\WINDOWS\system32\SiSInst.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll . snapshot@2008-09-08_ 9.37.01.54 . + 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE . Reg Loading Points. . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [X] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-07 413696] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064] "SoundMan"="SOUNDMAN.EXE" [2005-02-23 C:\WINDOWS\SOUNDMAN.EXE] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 471040] [HKLM\~\startupfolder\C:^Documents and Settings^RLM^Start Menu^Programs^Startup^palmOne Registration.lnk] path=C:\Documents and Settings\RLM\Start Menu\Programs\Startup\palmOne Registration.lnk backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R3 cmuda2;C-Media USB Audio Interface;C:\WINDOWS\system32\drivers\cmuda2.sys [2004-01-06 705536] . Contents of the 'Scheduled Tasks' folder . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-09 18:34:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\WLTRYSVC.EXE C:\WINDOWS\system32\BCMWLTRY.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\WLTRAY.EXE C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-09-09 18:38:06 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-10 00:38:00 ComboFix2.txt 2008-09-08 15:37:25 Pre-Run: 25,750,130,688 bytes free Post-Run: 25,694,490,624 bytes free 235 --- E O F --- 2008-09-05 23:54:24 Forgot to save the Kaspersky log, but it didn't find any threats. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:07:09 PM, on 09/09/08 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\palmOne\Hotsync.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01...s/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1219680942680 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1219841271531 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/...osticsxp2k.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 7660 bytes