Tech Support Forum - View Single Post

Xjester · 11-03-2008, 11:45 AM

Hi thanks for the reply i have removed Flashget and then after reboot ran the combofix.

Following is the log of combofix

ComboFix 08-11-02.05 - batwings 2008-11-03 23:23:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.433 [GMT 5:00]
Running from: d:\profiles\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a.bat
c:\windows\base64.tmp
c:\windows\bdn.com
c:\windows\erxt.exe
c:\windows\FVProtect.exe
c:\windows\Installer\{18e0c1bc-7f26-4c37-9382-4851f7996d82}\zip.dll
c:\windows\iTunesMusic.exe
c:\windows\mslagent
c:\windows\mssecu.exe
c:\windows\system32\dleppttj.dll
c:\windows\system32\jttppeld.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\sfuveqgl.dll
c:\windows\system32\wvUkHYoL.dll
c:\windows\system32akttzn.exe
c:\windows\system32anticipator.dll
c:\windows\system32awtoolb.dll
c:\windows\system32bdn.com
c:\windows\system32bsva-egihsg52.exe
c:\windows\system32dpcproxy.exe
c:\windows\system32emesx.dll
c:\windows\system32h@tkeysh@@k.dll
c:\windows\system32hoproxy.dll
c:\windows\system32hxiwlgpm.dat
c:\windows\system32hxiwlgpm.exe
c:\windows\system32medup012.dll
c:\windows\system32medup020.dll
c:\windows\system32msgp.exe
c:\windows\system32msnbho.dll
c:\windows\system32mssecu.exe
c:\windows\system32msvchost.exe
c:\windows\system32mtr2.exe
c:\windows\system32mwin32.exe
c:\windows\system32netode.exe
c:\windows\system32newsd32.exe
c:\windows\system32ps1.exe
c:\windows\system32psof1.exe
c:\windows\system32psoft1.exe
c:\windows\system32regc64.dll
c:\windows\system32regm64.dll
c:\windows\system32Rundl1.exe
c:\windows\system32smp
c:\windows\system32smp\msrc.exe
c:\windows\system32sncntr.exe
c:\windows\system32ssurf022.dll
c:\windows\system32ssvchost.com
c:\windows\system32ssvchost.exe
c:\windows\system32sysreq.exe
c:\windows\system32taack.dat
c:\windows\system32taack.exe
c:\windows\system32temp#01.exe
c:\windows\system32thun.dll
c:\windows\system32thun32.dll
c:\windows\system32VBIEWER.OCX
c:\windows\system32vbsys2.dll
c:\windows\system32vcatchpi.dll
c:\windows\system32winlogonpc.exe
c:\windows\system32winsystem.exe
c:\windows\system32WINWGPX.EXE
c:\windows\userconfig9x.dll
c:\windows\zip1.tmp
c:\windows\zip2.tmp
c:\windows\zip3.tmp
c:\windows\zipped.tmp
d:\profiles\Administrator\Application Data\Adobe\crc.dat
d:\profiles\Administrator\Application Data\Adobe\Player.exe.bak
d:\profiles\Administrator\Desktopblackbird.jpg
d:\profiles\Administrator\DesktopEditorFKWP1.5.exe
d:\profiles\Administrator\DesktopEditorFKWP2.0.exe
d:\profiles\Administrator\Desktopfilemanagerclient.exe
d:\profiles\Administrator\Desktopfkwp1.5.exe
d:\profiles\Administrator\Desktopfkwp2.0.exe
d:\profiles\Administrator\Desktopfwebd.exe
d:\profiles\Administrator\DesktopFWebdEditor.exe
d:\profiles\Administrator\DesktopTrojan.Win32.BlackBird.exe
d:\profiles\Administrator\Desktopvirii
d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe
d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe
d:\profiles\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\profiles\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://78.157.143.198
hxxp://10.162.212.10:80
hxxp://ZPK01EDM01:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-11-02 01:18 . 2007-03-08 20:36 62,464 --a------ c:\windows\system32\msbios.dll
2008-11-01 18:23 . 2008-11-01 18:47 <DIR> d-------- C:\ABomber
2008-10-31 23:09 . 2008-10-31 23:09 <DIR> d-------- C:\rsit
2008-10-31 23:09 . 2008-10-31 23:09 <DIR> d-------- c:\program files\trend micro
2008-10-31 20:16 . 2008-10-31 22:57 250 --a------ c:\windows\gmer.ini
2008-10-27 15:46 . 2008-11-03 23:30 85,176 --a------ c:\windows\system32\oodbs.lor
2008-10-27 13:36 . 2008-10-27 13:39 <DIR> d-------- c:\windows\system32\NtmsData
2008-10-27 09:09 . 2008-10-27 09:09 0 --a------ c:\windows\OODCNT.INI
2008-10-26 20:03 . 2008-10-29 13:47 <DIR> d-------- c:\windows\system32\oodag
2008-10-26 19:59 . 2008-10-26 19:59 <DIR> d-------- c:\program files\OO Software
2008-10-26 19:13 . 2004-08-04 11:56 123,904 --a--c--- c:\windows\system32\dllcache\dfrgui.dll
2008-10-26 19:13 . 2004-08-04 11:56 123,904 --a------ c:\windows\system32\dfrgui.dll
2008-10-26 19:13 . 2004-08-04 11:56 104,960 --a--c--- c:\windows\system32\dllcache\dfrgntfs.exe
2008-10-26 19:13 . 2004-08-04 11:56 82,432 --a--c--- c:\windows\system32\dllcache\dfrgfat.exe
2008-10-26 19:13 . 2004-08-04 11:56 82,432 --a------ c:\windows\system32\dfrgfat.exe
2008-10-26 19:13 . 2001-08-23 20:00 51,200 --a--c--- c:\windows\system32\dllcache\dfrgres.dll
2008-10-26 19:13 . 2001-08-23 20:00 51,200 --a------ c:\windows\system32\dfrgres.dll
2008-10-26 19:13 . 2001-08-23 20:00 41,397 --a------ c:\windows\system32\dfrg.msc
2008-10-26 19:13 . 2004-08-04 11:56 38,912 --a--c--- c:\windows\system32\dllcache\dfrgsnap.dll
2008-10-26 19:13 . 2004-08-04 11:56 38,912 --a------ c:\windows\system32\dfrgsnap.dll
2008-10-25 22:38 . 2008-10-25 22:38 <DIR> d-------- d:\profiles\Administrator\Application Data\Auslogics
2008-10-25 22:38 . 2008-10-25 22:38 <DIR> d-------- c:\program files\Auslogics
2008-10-25 22:31 . 2008-10-25 22:31 674,058 --a------ C:\FRAGLIST.LUAR
2008-10-25 22:30 . 2008-10-25 22:30 179,106 --a------ C:\FRAGLIST.HTM
2008-10-25 17:11 . 2008-10-25 22:32 <DIR> d-------- c:\windows\UltraDefrag
2008-10-24 12:39 . 2008-10-24 12:39 <DIR> d-------- c:\program files\MediaInfo Lite
2008-10-24 12:36 . 2008-10-24 12:36 <DIR> d-------- c:\program files\MOV Download Tool
2008-10-24 12:13 . 2008-10-24 12:13 <DIR> d-------- c:\program files\QuickTime Alternative
2008-10-24 12:04 . 2008-09-24 23:41 839,680 --a------ c:\windows\system32\lameACM.acm
2008-10-24 12:04 . 2007-09-04 21:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-10-24 12:04 . 2008-10-03 17:30 414 --a------ c:\windows\system32\lame_acm.xml
2008-10-24 12:04 . 2008-07-31 00:09 38 --a------ c:\windows\avisplitter.ini
2008-10-24 12:03 . 2008-10-24 12:03 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-10-24 12:03 . 2008-09-16 05:14 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2008-10-24 12:03 . 2008-01-10 17:15 755,027 --a------ c:\windows\system32\xvidcore.dll
2008-10-24 12:03 . 2008-09-16 05:11 683,520 --a------ c:\windows\system32\divx.dll
2008-10-24 12:03 . 2004-01-25 21:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2008-10-24 12:03 . 2008-01-10 17:16 159,839 --a------ c:\windows\system32\xvidvfw.dll
2008-10-24 12:03 . 2007-09-21 05:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2008-10-24 12:03 . 2008-09-16 05:12 81,920 --a------ c:\windows\system32\dpl100.dll
2008-10-24 12:03 . 2008-06-12 23:36 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-10-24 12:03 . 2007-07-10 21:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-10-24 10:59 . 2008-10-24 11:00 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-24 10:59 . 2008-10-24 11:00 1,409 --a------ c:\windows\QTFont.for
2008-10-23 14:14 . 2008-10-23 14:21 <DIR> d-------- d:\profiles\Administrator\.dia
2008-10-23 14:08 . 2008-10-23 14:09 <DIR> d-------- c:\program files\Dia
2008-10-23 13:03 . 2008-10-23 13:06 345 --ahs---- c:\windows\system32\yyJkknpo.ini
2008-10-23 10:40 . 2008-10-23 10:40 120 ---hs---- c:\windows\system32\shtfhqyi.ini
2008-10-22 14:59 . 2008-10-22 14:59 <DIR> d-------- d:\profiles\Administrator\Application Data\Logitech
2008-10-22 14:56 . 2008-10-22 14:56 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-22 14:56 . 2008-10-22 14:56 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-10-22 14:56 . 2008-10-22 14:56 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-10-22 14:53 . 2008-05-02 01:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2008-10-22 14:53 . 2008-05-02 01:39 170,512 --a------ c:\windows\system32\kemutb.dll
2008-10-22 14:53 . 2008-05-02 01:39 145,936 --a------ c:\windows\system32\KemUtil.dll
2008-10-22 14:53 . 2008-05-02 01:40 117,264 --a------ c:\windows\system32\KemWnd.dll
2008-10-22 14:53 . 2008-05-02 01:40 84,496 --a------ c:\windows\system32\KemXML.dll
2008-10-22 09:27 . 2008-11-03 23:15 <DIR> d-a------ d:\profiles\All Users\Application Data\TEMP
2008-10-22 09:27 . 2008-10-22 09:27 <DIR> d-------- d:\profiles\Administrator\Application Data\PC Tools
2008-10-22 09:27 . 2008-11-03 23:17 <DIR> d-------- c:\program files\Spyware Doctor
2008-10-22 09:27 . 2008-10-23 11:00 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-10-22 09:27 . 2008-10-23 11:00 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-10-22 09:27 . 2008-10-23 11:00 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-10-22 09:27 . 2008-06-02 14:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-10-22 09:26 . 2008-10-22 09:26 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-10-21 19:49 . 2008-10-22 09:56 345 --ahs---- c:\windows\system32\tCMmnnpo.ini
2008-10-21 19:03 . 2008-10-22 10:06 <DIR> d-------- c:\program files\Panda Security
2008-10-21 12:50 . 2008-10-21 12:50 <DIR> d-------- c:\program files\Alwil Software
2008-10-21 12:08 . 2008-10-21 12:08 120 ---hs---- c:\windows\system32\lgqevufs.ini
2008-10-21 12:06 . 2008-10-21 13:04 345 --ahs---- c:\windows\system32\uBeLnnnn.ini
2008-10-21 11:59 . 2008-10-21 10:23 278,528 --a------ c:\windows\vwnskbot.dll
2008-10-21 11:59 . 2008-10-21 10:23 131,072 --a------ c:\windows\woprdagt.exe
2008-10-13 17:35 . 2008-10-14 10:13 <DIR> d-------- c:\program files\Broadband Internet-E220
2008-10-12 17:14 . 2008-10-12 17:14 <DIR> d-------- c:\program files\Peretek
2008-10-12 16:06 . 2008-09-21 11:06 31,232 --a------ c:\windows\system\vdremote.dll
2008-10-12 16:06 . 2008-09-21 11:06 25,088 --a------ c:\windows\system\vdsvrlnk.dll
2008-10-08 16:32 . 2008-10-08 16:32 <DIR> d-------- c:\program files\Western Digital Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-03 18:34 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-03 18:08 --------- d-----w c:\program files\FlashGet
2008-11-03 18:02 --------- d-----w c:\program files\Flock
2008-11-03 11:26 --------- d-----w d:\profiles\Administrator\Application Data\UseNeXT
2008-11-03 09:45 --------- d-----w c:\program files\Motorola MVP
2008-10-30 08:01 --------- d-----w d:\profiles\Administrator\Application Data\Flock
2008-10-26 05:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-25 11:09 --------- d-----w c:\program files\SupportSoft_Amer_Motorola
2008-10-24 07:13 --------- d-----w d:\profiles\All Users\Application Data\Apple Computer
2008-10-24 07:12 --------- d-----w d:\profiles\Administrator\Application Data\Apple Computer
2008-10-24 06:55 --------- d-----w d:\profiles\Administrator\Application Data\BSplayer PRO
2008-10-24 06:10 --------- d-----w c:\program files\QuickTime
2008-10-24 04:39 --------- d-----w c:\program files\UseNeXT
2008-10-22 09:53 --------- d-----w c:\program files\Common Files\logishrd
2008-10-22 09:52 --------- d-----w d:\profiles\All Users\Application Data\Logitech
2008-10-22 09:51 --------- d-----w c:\program files\Logitech
2008-10-21 17:37 4,570 ----a-w c:\windows\system32\tmp.reg
2008-09-16 06:27 --------- d-----w c:\program files\WorldMate Live
2008-09-15 07:23 --------- d-----w c:\program files\Crazy Machines
2008-09-04 00:02 730,368 ----a-w c:\windows\system32\oodsvct.exe
2008-09-04 00:02 1,295,616 ----a-w c:\windows\system32\oodag.exe
2008-09-04 00:01 2,524,416 ----a-w c:\windows\system32\oodtray.exe
2008-09-04 00:01 194,816 ----a-w c:\windows\system32\oodbs.exe
2008-09-03 23:58 9,984 ----a-w c:\windows\system32\oodbsrs.dll
2008-09-03 23:58 894,208 ----a-w c:\windows\system32\oodtrrs.dll
2008-09-03 23:58 8,448 ----a-w c:\windows\system32\oodagrs.dll
2008-09-03 23:58 15,616 ----a-w c:\windows\system32\oodagmg.dll
2008-08-29 23:20 15,104 ----a-w c:\windows\system32\ootmapi.dll
2008-03-19 16:02 131 ----a-w c:\program files\INCMREG.bat
2008-03-19 16:02 109 ----a-w c:\program files\UNCMREG.bat
2008-02-23 06:38 32,768 ----a-w d:\profiles\Administrator\dispwd.dll
2008-01-18 10:07 92,064 ----a-w d:\profiles\Administrator\mqdmmdm.sys
2008-01-18 10:07 9,232 ----a-w d:\profiles\Administrator\mqdmmdfl.sys
2008-01-18 10:07 79,328 ----a-w d:\profiles\Administrator\mqdmserd.sys
2008-01-18 10:07 66,656 ----a-w d:\profiles\Administrator\mqdmbus.sys
2008-01-18 10:07 6,208 ----a-w d:\profiles\Administrator\mqdmcmnt.sys
2008-01-18 10:07 5,936 ----a-w d:\profiles\Administrator\mqdmwhnt.sys
2008-01-18 10:07 4,048 ----a-w d:\profiles\Administrator\mqdmcr.sys
2008-01-18 10:07 25,600 ----a-w d:\profiles\Administrator\usbsermptxp.sys
2008-01-18 10:07 22,768 ----a-w d:\profiles\Administrator\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-02-01 3900776]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-08-04 124656]
"CSCAdvantage"="c:\program files\Help Desk\CSCAdv.exe" [2005-06-09 111403]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-08 176128]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-03-01 15872]
"CSCLogonInfo"="c:\windows\UsrLogon.exe" [2006-12-13 127079]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2008-09-04 2524416]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-02-01 3900776]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

d:\profiles\Default User\Start Menu\Programs\Startup\
ADOPTORPHANPROFILE.VBS [2002-08-01 45708]

d:\profiles\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-22 805392]
WordWeb Pro.lnk - c:\program files\WordWeb\wweb32.exe [2007-09-22 44384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
"disablecad"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoAutoTrayNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vwnskbot"= {068AE652-5E58-45F9-BEE8-2C7C4E080225} - c:\windows\vwnskbot.dll [2008-10-21 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 08:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\D:^Profiles^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\profiles\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2007-09-18 13:13 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-05-10 11:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-04-07 00:58 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 18:04 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-07-25 16:06 2027792 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
--a------ 2005-07-16 02:48 479232 c:\program files\Google\Gmail Notifier\gnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Netmeeting\\conf.exe"= c:\\Program Files\\Netmeeting\\conf.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:10.176.1.190/199:enabled:bDNA
"497:TCP"= 497:TCP:10.0.38.5/10:enabled:bDNA2
"6000:TCP"= 6000:TCP:exceed
"135:TCP"= 135:TCP:10.160.5.8:enabled:foundscan
"137:TCP"= 137:TCP:10.197.24.2:enabled:foundscan2
"138:TCP"= 138:TCP:10.0.125.17:enabled:foundscan3
"139:TCP"= 139:TCP:10.0.125.20:enabled:foundscan4
"1503:TCP"= 1503:TCP:10.0.125.21:enabled:foundscan5
"1720:TCP"= 1720:TCP:10.1.250.11:enabled:foundscan6
"1761:TCP"= 1761:TCP:10.64.2.96:enabled:foundscan7
"2701:TCP"= 2701:TCP:10.128.132.49:enabled:iss1
"2702:TCP"= 2702:TCP:10.128.132.49:enabled:iss2
"43189:TCP"= 43189:TCP:10.160.9.87:enabled:iss3
"4445:TCP"= 4445:TCP:10.0.125.19:enabled:iss4
"6401:TCP"= 6401:TCP:192.168.30.7:enabled:iss5
"1023:UDP"= 1023:UDP:144.190.1.100:enabled:iss6
"445:TCP"= 445:TCP:10.0.125.15:enabled:nmap
"123:UDP"= 123:UDP:129.188.57.239:enabled:scanner1
"137:UDP"= 137:UDP:129.188.147.55:enabled:scanner2
"138:UDP"= 138:UDP:192.168.3.1:enabled:scanner3
"2233:UDP"= 2233:UDP:129.188.33.18:enabled:scanner4
"371:UDP"= 371:UDP:10.0.125.13:enabled:scanner5
"407:UDP"= 407:UDP:10.0.125.28:enabled:scanner6
"497:UDP"= 497:UDP:10.193.21.54:enabled:scanner7
"500:UDP"= 500:UDP:10.0.125.11:enabled:scanner8
"600:UDP"= 600:UDP:10.79.40.64:enabled:scanner9
"601:UDP"= 601:UDP:10.79.40.64:enabled:scanner10
"602:UDP"= 602:UDP:10.79.40.64:enabled:scanner11
"603:UDP"= 603:UDP:10.79.40.64:enabled:scanner12
"604:UDP"= 604:UDP:10.79.40.64:enabled:scanner13
"605:UDP"= 605:UDP:10.79.40.64:enabled:scanner14
"606:UDP"= 606:UDP:10.79.40.64:enabled:scanner15
"607:UDP"= 607:UDP:10.79.40.64:enabled:scanner16
"608:UDP"= 608:UDP:10.79.40.64:enabled:scanner17
"609:UDP"= 609:UDP:10.79.40.64:enabled:scanner18
"610:UDP"= 610:UDP:10.79.40.64:enabled:scanner19
"62514:UDP"= 62514:UDP:10.79.40.72,10.82.51.100,10.228.96.22/24,10.228.96.26,10.16.225.208,10.17.193.181,10.17.193.182:enabled:scanner20
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)

R0 a320raid;a320raid;c:\windows\system32\DRIVERS\a320raid.sys [2004-07-29 251842]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2007-04-13 590712]
R2 WinemaCM Serivce;WinemaCM Serivce;c:\program files\Intel Corporation\IntelWiMAX\UI\wcm_service.exe [2007-04-18 10752]
R3 BeceemPHS;BeceemPHS;c:\windows\system32\DRIVERS\BeceemPHS.sys [2007-06-25 23552]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2002-10-12 9049]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2005-05-31 87936]
R3 IPSECSHM;Nortel IPSECSHM Adapter;c:\windows\system32\DRIVERS\ipsecw2k.sys [2002-10-12 115008]
R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2008-05-06 50163]
R4 black;black;c:\windows\system32\drivers\BlackCat.sys [2007-06-15 205938]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2002-10-12 115008]
S2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\ISS\Proventia Desktop\vpatch.exe [ ]
S3 BeceemNDIS;TarangService;c:\windows\system32\DRIVERS\drxvi211.sys [2007-06-25 180224]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Motorola MVP\Extranet_serv.exe [2002-10-12 626688]
S3 MakoNT;MakoNT;c:\windows\system32\drivers\isskboep.sys [2007-06-15 80512]
S3 prepdrvr;SMS Process Event Driver;c:\windows\system32\CCM\prepdrv.sys [2007-04-13 23416]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-19 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-19 24344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13c7d8c8-99bb-11dd-b3c6-0016414c14ab}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49a5ddcc-99b6-11dd-b3c5-0016414c14ab}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84483d5b-cf0c-11dc-b36d-444553544200}]
\Shell\Autoplay\Command - F:\smss.exe
\Shell\AutoRun\command - F:\smss.exe
\Shell\Explore\Command - F:\smss.exe
\Shell\Open\Command - F:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca1e362e-995d-11dd-b3c2-444553544200}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f02011bd-96ad-11dd-b3bf-0012cf4844d0}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-CSC-IEPROXY}]
c:\ntutils\IE_Proxy_Update\runpack.exe /reinstall /bypasschk

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-2K3}]
c:\windows\2k3_USR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-EZCD52}]
c:\winnt\System32\REGEZCD5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-SELFPR}]
c:\ntutils\IE_Proxy_Update-Install.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFC1927-A731-4c34-829B-47EE05ADD199}]
"c:\windows\regedit.exe" /s "c:\windows\mot-wmp9.reg"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C10BF3A1-3FEC-4a94-AAAF-9D6A4B522F63}]
"c:\program files\WinZip\wzusr90.exe" /NOICON /NOTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C2DA1CDC-EF9D-4B7C-91F8-710B17AD44A7}]
c:\program files\Microsoft Office\Live Meeting 8\Console\LM_StandaloneConsole_2007.exe /q
.
Contents of the 'Scheduled Tasks' folder

2008-11-03 c:\windows\Tasks\CheckNetwork.job
- c:\program files\Motorola\WirelessControl\NetStatus.vbs [2006-09-20 09:24]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msbfhcaq - c:\windows\system32\byrcjohs.exe
HKLM-Run-BVRPLiveUpdate - c:\program files\LiveUpdate\Engine\Setup.exe
HKLM-Explorer_Run-apsqtkq00p - d:\profiles\All Users\Application Data\luhihkha\vmnctuhu.exe
Notify-mlJAsTjI - mlJAsTjI.dll
MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - d:\profiles\Administrator\Application Data\Mozilla\Firefox\Profiles\v6br3gs0.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 23:31:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VPatch]
"ImagePath"="\"c:\program files\ISS\Proventia Desktop\vpatch.exe\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\scardsvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\ISS\Proventia Desktop\blackd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Crypserv.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\windows\system32\oodag.exe
c:\program files\ISS\Proventia Desktop\RapApp.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\program files\ISS\Proventia Desktop\RapUISvc.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\hidfind.exe
c:\windows\system32\msiexec.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Common Files\logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-11-03 23:38:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-03 18:38:22

Pre-Run: 11,352,309,760 bytes free
Post-Run: 11,241,590,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=Alwaysoff /fastdetect
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

475

Following is the HijackThis logfile

Logfile of HijackThis v1.99.1
Scan saved at 23:42:01, on 11/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Intel Corporation\IntelWiMAX\UI\wcm_service.exe
C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Profiles\Administrator\Desktop\hijackthis1991.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.mot.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.mot.com:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mot.com;*.gi.com;*.local;HELP-MOTOROLA.AMER.CSC.COM;HELP-MOTOROLA.AMER.CSC.COM;SHSH-NXS01.AMER.CSC.COM;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CSCAdvantage] "C:\Program Files\Help Desk\CSCAdv.exe" /s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [CSCLogonInfo] C:\WINDOWS\UsrLogon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1190233681562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190233660062
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.motorola.com/dana-cac...erSetupSP1.cab
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink Edit Control) - http://compass.mot.com/i/webedit/lledit.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ds.mot.com,corp.mot.com,mot.com,am.mot.com,ea.mot.com,ap.mot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ds.mot.com,corp.mot.com,mot.com,am.mot.com,ea.mot.com,ap.mot.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: vwnskbot - {068AE652-5E58-45F9-BEE8-2C7C4E080225} - C:\WINDOWS\vwnskbot.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Motorola MVP\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinemaCM Serivce - Unknown owner - C:\Program Files\Intel Corporation\IntelWiMAX\UI\wcm_service.exe

11-03-2008, 11:45 AM	#3 (permalink)
Xjester Registered User Join Date: Mar 2008 Posts: 9 OS: Windows XP	Re: PC Slow Problem Hi thanks for the reply i have removed Flashget and then after reboot ran the combofix. Following is the log of combofix ComboFix 08-11-02.05 - batwings 2008-11-03 23:23:21.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.433 [GMT 5:00] Running from: d:\profiles\Administrator\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\a.bat c:\windows\base64.tmp c:\windows\bdn.com c:\windows\erxt.exe c:\windows\FVProtect.exe c:\windows\Installer\{18e0c1bc-7f26-4c37-9382-4851f7996d82}\zip.dll c:\windows\iTunesMusic.exe c:\windows\mslagent c:\windows\mssecu.exe c:\windows\system32\dleppttj.dll c:\windows\system32\jttppeld.ini c:\windows\system32\mcrh.tmp c:\windows\system32\sfuveqgl.dll c:\windows\system32\wvUkHYoL.dll c:\windows\system32akttzn.exe c:\windows\system32anticipator.dll c:\windows\system32awtoolb.dll c:\windows\system32bdn.com c:\windows\system32bsva-egihsg52.exe c:\windows\system32dpcproxy.exe c:\windows\system32emesx.dll c:\windows\system32h@tkeysh@@k.dll c:\windows\system32hoproxy.dll c:\windows\system32hxiwlgpm.dat c:\windows\system32hxiwlgpm.exe c:\windows\system32medup012.dll c:\windows\system32medup020.dll c:\windows\system32msgp.exe c:\windows\system32msnbho.dll c:\windows\system32mssecu.exe c:\windows\system32msvchost.exe c:\windows\system32mtr2.exe c:\windows\system32mwin32.exe c:\windows\system32netode.exe c:\windows\system32newsd32.exe c:\windows\system32ps1.exe c:\windows\system32psof1.exe c:\windows\system32psoft1.exe c:\windows\system32regc64.dll c:\windows\system32regm64.dll c:\windows\system32Rundl1.exe c:\windows\system32smp c:\windows\system32smp\msrc.exe c:\windows\system32sncntr.exe c:\windows\system32ssurf022.dll c:\windows\system32ssvchost.com c:\windows\system32ssvchost.exe c:\windows\system32sysreq.exe c:\windows\system32taack.dat c:\windows\system32taack.exe c:\windows\system32temp#01.exe c:\windows\system32thun.dll c:\windows\system32thun32.dll c:\windows\system32VBIEWER.OCX c:\windows\system32vbsys2.dll c:\windows\system32vcatchpi.dll c:\windows\system32winlogonpc.exe c:\windows\system32winsystem.exe c:\windows\system32WINWGPX.EXE c:\windows\userconfig9x.dll c:\windows\zip1.tmp c:\windows\zip2.tmp c:\windows\zip3.tmp c:\windows\zipped.tmp d:\profiles\Administrator\Application Data\Adobe\crc.dat d:\profiles\Administrator\Application Data\Adobe\Player.exe.bak d:\profiles\Administrator\Desktopblackbird.jpg d:\profiles\Administrator\DesktopEditorFKWP1.5.exe d:\profiles\Administrator\DesktopEditorFKWP2.0.exe d:\profiles\Administrator\Desktopfilemanagerclient.exe d:\profiles\Administrator\Desktopfkwp1.5.exe d:\profiles\Administrator\Desktopfkwp2.0.exe d:\profiles\Administrator\Desktopfwebd.exe d:\profiles\Administrator\DesktopFWebdEditor.exe d:\profiles\Administrator\DesktopTrojan.Win32.BlackBird.exe d:\profiles\Administrator\Desktopvirii d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe d:\profiles\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe d:\profiles\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat d:\profiles\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ----- BITS: Possible infected sites ----- hxxp://78.157.143.198 hxxp://10.162.212.10:80 hxxp://ZPK01EDM01:80 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF ((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 ))))))))))))))))))))))))))))))) . 2008-11-02 01:18 . 2007-03-08 20:36 62,464 --a------ c:\windows\system32\msbios.dll 2008-11-01 18:23 . 2008-11-01 18:47 <DIR> d-------- C:\ABomber 2008-10-31 23:09 . 2008-10-31 23:09 <DIR> d-------- C:\rsit 2008-10-31 23:09 . 2008-10-31 23:09 <DIR> d-------- c:\program files\trend micro 2008-10-31 20:16 . 2008-10-31 22:57 250 --a------ c:\windows\gmer.ini 2008-10-27 15:46 . 2008-11-03 23:30 85,176 --a------ c:\windows\system32\oodbs.lor 2008-10-27 13:36 . 2008-10-27 13:39 <DIR> d-------- c:\windows\system32\NtmsData 2008-10-27 09:09 . 2008-10-27 09:09 0 --a------ c:\windows\OODCNT.INI 2008-10-26 20:03 . 2008-10-29 13:47 <DIR> d-------- c:\windows\system32\oodag 2008-10-26 19:59 . 2008-10-26 19:59 <DIR> d-------- c:\program files\OO Software 2008-10-26 19:13 . 2004-08-04 11:56 123,904 --a--c--- c:\windows\system32\dllcache\dfrgui.dll 2008-10-26 19:13 . 2004-08-04 11:56 123,904 --a------ c:\windows\system32\dfrgui.dll 2008-10-26 19:13 . 2004-08-04 11:56 104,960 --a--c--- c:\windows\system32\dllcache\dfrgntfs.exe 2008-10-26 19:13 . 2004-08-04 11:56 82,432 --a--c--- c:\windows\system32\dllcache\dfrgfat.exe 2008-10-26 19:13 . 2004-08-04 11:56 82,432 --a------ c:\windows\system32\dfrgfat.exe 2008-10-26 19:13 . 2001-08-23 20:00 51,200 --a--c--- c:\windows\system32\dllcache\dfrgres.dll 2008-10-26 19:13 . 2001-08-23 20:00 51,200 --a------ c:\windows\system32\dfrgres.dll 2008-10-26 19:13 . 2001-08-23 20:00 41,397 --a------ c:\windows\system32\dfrg.msc 2008-10-26 19:13 . 2004-08-04 11:56 38,912 --a--c--- c:\windows\system32\dllcache\dfrgsnap.dll 2008-10-26 19:13 . 2004-08-04 11:56 38,912 --a------ c:\windows\system32\dfrgsnap.dll 2008-10-25 22:38 . 2008-10-25 22:38 <DIR> d-------- d:\profiles\Administrator\Application Data\Auslogics 2008-10-25 22:38 . 2008-10-25 22:38 <DIR> d-------- c:\program files\Auslogics 2008-10-25 22:31 . 2008-10-25 22:31 674,058 --a------ C:\FRAGLIST.LUAR 2008-10-25 22:30 . 2008-10-25 22:30 179,106 --a------ C:\FRAGLIST.HTM 2008-10-25 17:11 . 2008-10-25 22:32 <DIR> d-------- c:\windows\UltraDefrag 2008-10-24 12:39 . 2008-10-24 12:39 <DIR> d-------- c:\program files\MediaInfo Lite 2008-10-24 12:36 . 2008-10-24 12:36 <DIR> d-------- c:\program files\MOV Download Tool 2008-10-24 12:13 . 2008-10-24 12:13 <DIR> d-------- c:\program files\QuickTime Alternative 2008-10-24 12:04 . 2008-09-24 23:41 839,680 --a------ c:\windows\system32\lameACM.acm 2008-10-24 12:04 . 2007-09-04 21:56 164,352 --a------ c:\windows\system32\unrar.dll 2008-10-24 12:04 . 2008-10-03 17:30 414 --a------ c:\windows\system32\lame_acm.xml 2008-10-24 12:04 . 2008-07-31 00:09 38 --a------ c:\windows\avisplitter.ini 2008-10-24 12:03 . 2008-10-24 12:03 <DIR> d-------- c:\program files\K-Lite Codec Pack 2008-10-24 12:03 . 2008-09-16 05:14 3,596,288 --a------ c:\windows\system32\qt-dx331.dll 2008-10-24 12:03 . 2008-01-10 17:15 755,027 --a------ c:\windows\system32\xvidcore.dll 2008-10-24 12:03 . 2008-09-16 05:11 683,520 --a------ c:\windows\system32\divx.dll 2008-10-24 12:03 . 2004-01-25 21:18 217,088 --a------ c:\windows\system32\yv12vfw.dll 2008-10-24 12:03 . 2008-01-10 17:16 159,839 --a------ c:\windows\system32\xvidvfw.dll 2008-10-24 12:03 . 2007-09-21 05:52 118,784 --a------ c:\windows\system32\ac3acm.acm 2008-10-24 12:03 . 2008-09-16 05:12 81,920 --a------ c:\windows\system32\dpl100.dll 2008-10-24 12:03 . 2008-06-12 23:36 7,680 --a------ c:\windows\system32\ff_vfw.dll 2008-10-24 12:03 . 2007-07-10 21:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest 2008-10-24 10:59 . 2008-10-24 11:00 54,156 --ah----- c:\windows\QTFont.qfn 2008-10-24 10:59 . 2008-10-24 11:00 1,409 --a------ c:\windows\QTFont.for 2008-10-23 14:14 . 2008-10-23 14:21 <DIR> d-------- d:\profiles\Administrator\.dia 2008-10-23 14:08 . 2008-10-23 14:09 <DIR> d-------- c:\program files\Dia 2008-10-23 13:03 . 2008-10-23 13:06 345 --ahs---- c:\windows\system32\yyJkknpo.ini 2008-10-23 10:40 . 2008-10-23 10:40 120 ---hs---- c:\windows\system32\shtfhqyi.ini 2008-10-22 14:59 . 2008-10-22 14:59 <DIR> d-------- d:\profiles\Administrator\Application Data\Logitech 2008-10-22 14:56 . 2008-10-22 14:56 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-10-22 14:56 . 2008-10-22 14:56 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf 2008-10-22 14:56 . 2008-10-22 14:56 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf 2008-10-22 14:53 . 2008-05-02 01:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll 2008-10-22 14:53 . 2008-05-02 01:39 170,512 --a------ c:\windows\system32\kemutb.dll 2008-10-22 14:53 . 2008-05-02 01:39 145,936 --a------ c:\windows\system32\KemUtil.dll 2008-10-22 14:53 . 2008-05-02 01:40 117,264 --a------ c:\windows\system32\KemWnd.dll 2008-10-22 14:53 . 2008-05-02 01:40 84,496 --a------ c:\windows\system32\KemXML.dll 2008-10-22 09:27 . 2008-11-03 23:15 <DIR> d-a------ d:\profiles\All Users\Application Data\TEMP 2008-10-22 09:27 . 2008-10-22 09:27 <DIR> d-------- d:\profiles\Administrator\Application Data\PC Tools 2008-10-22 09:27 . 2008-11-03 23:17 <DIR> d-------- c:\program files\Spyware Doctor 2008-10-22 09:27 . 2008-10-23 11:00 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys 2008-10-22 09:27 . 2008-10-23 11:00 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys 2008-10-22 09:27 . 2008-10-23 11:00 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys 2008-10-22 09:27 . 2008-06-02 14:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys 2008-10-22 09:26 . 2008-10-22 09:26 <DIR> d-------- c:\program files\Common Files\Download Manager 2008-10-21 19:49 . 2008-10-22 09:56 345 --ahs---- c:\windows\system32\tCMmnnpo.ini 2008-10-21 19:03 . 2008-10-22 10:06 <DIR> d-------- c:\program files\Panda Security 2008-10-21 12:50 . 2008-10-21 12:50 <DIR> d-------- c:\program files\Alwil Software 2008-10-21 12:08 . 2008-10-21 12:08 120 ---hs---- c:\windows\system32\lgqevufs.ini 2008-10-21 12:06 . 2008-10-21 13:04 345 --ahs---- c:\windows\system32\uBeLnnnn.ini 2008-10-21 11:59 . 2008-10-21 10:23 278,528 --a------ c:\windows\vwnskbot.dll 2008-10-21 11:59 . 2008-10-21 10:23 131,072 --a------ c:\windows\woprdagt.exe 2008-10-13 17:35 . 2008-10-14 10:13 <DIR> d-------- c:\program files\Broadband Internet-E220 2008-10-12 17:14 . 2008-10-12 17:14 <DIR> d-------- c:\program files\Peretek 2008-10-12 16:06 . 2008-09-21 11:06 31,232 --a------ c:\windows\system\vdremote.dll 2008-10-12 16:06 . 2008-09-21 11:06 25,088 --a------ c:\windows\system\vdsvrlnk.dll 2008-10-08 16:32 . 2008-10-08 16:32 <DIR> d-------- c:\program files\Western Digital Technologies . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-03 18:34 --------- d-----w c:\program files\Symantec AntiVirus 2008-11-03 18:08 --------- d-----w c:\program files\FlashGet 2008-11-03 18:02 --------- d-----w c:\program files\Flock 2008-11-03 11:26 --------- d-----w d:\profiles\Administrator\Application Data\UseNeXT 2008-11-03 09:45 --------- d-----w c:\program files\Motorola MVP 2008-10-30 08:01 --------- d-----w d:\profiles\Administrator\Application Data\Flock 2008-10-26 05:47 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-25 11:09 --------- d-----w c:\program files\SupportSoft_Amer_Motorola 2008-10-24 07:13 --------- d-----w d:\profiles\All Users\Application Data\Apple Computer 2008-10-24 07:12 --------- d-----w d:\profiles\Administrator\Application Data\Apple Computer 2008-10-24 06:55 --------- d-----w d:\profiles\Administrator\Application Data\BSplayer PRO 2008-10-24 06:10 --------- d-----w c:\program files\QuickTime 2008-10-24 04:39 --------- d-----w c:\program files\UseNeXT 2008-10-22 09:53 --------- d-----w c:\program files\Common Files\logishrd 2008-10-22 09:52 --------- d-----w d:\profiles\All Users\Application Data\Logitech 2008-10-22 09:51 --------- d-----w c:\program files\Logitech 2008-10-21 17:37 4,570 ----a-w c:\windows\system32\tmp.reg 2008-09-16 06:27 --------- d-----w c:\program files\WorldMate Live 2008-09-15 07:23 --------- d-----w c:\program files\Crazy Machines 2008-09-04 00:02 730,368 ----a-w c:\windows\system32\oodsvct.exe 2008-09-04 00:02 1,295,616 ----a-w c:\windows\system32\oodag.exe 2008-09-04 00:01 2,524,416 ----a-w c:\windows\system32\oodtray.exe 2008-09-04 00:01 194,816 ----a-w c:\windows\system32\oodbs.exe 2008-09-03 23:58 9,984 ----a-w c:\windows\system32\oodbsrs.dll 2008-09-03 23:58 894,208 ----a-w c:\windows\system32\oodtrrs.dll 2008-09-03 23:58 8,448 ----a-w c:\windows\system32\oodagrs.dll 2008-09-03 23:58 15,616 ----a-w c:\windows\system32\oodagmg.dll 2008-08-29 23:20 15,104 ----a-w c:\windows\system32\ootmapi.dll 2008-03-19 16:02 131 ----a-w c:\program files\INCMREG.bat 2008-03-19 16:02 109 ----a-w c:\program files\UNCMREG.bat 2008-02-23 06:38 32,768 ----a-w d:\profiles\Administrator\dispwd.dll 2008-01-18 10:07 92,064 ----a-w d:\profiles\Administrator\mqdmmdm.sys 2008-01-18 10:07 9,232 ----a-w d:\profiles\Administrator\mqdmmdfl.sys 2008-01-18 10:07 79,328 ----a-w d:\profiles\Administrator\mqdmserd.sys 2008-01-18 10:07 66,656 ----a-w d:\profiles\Administrator\mqdmbus.sys 2008-01-18 10:07 6,208 ----a-w d:\profiles\Administrator\mqdmcmnt.sys 2008-01-18 10:07 5,936 ----a-w d:\profiles\Administrator\mqdmwhnt.sys 2008-01-18 10:07 4,048 ----a-w d:\profiles\Administrator\mqdmcr.sys 2008-01-18 10:07 25,600 ----a-w d:\profiles\Administrator\usbsermptxp.sys 2008-01-18 10:07 22,768 ----a-w d:\profiles\Administrator\usbsermpt.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-02-01 3900776] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-08-04 124656] "CSCAdvantage"="c:\program files\Help Desk\CSCAdv.exe" [2005-06-09 111403] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-08 176128] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-03-01 15872] "CSCLogonInfo"="c:\windows\UsrLogon.exe" [2006-12-13 127079] "OODefragTray"="c:\windows\system32\oodtray.exe" [2008-09-04 2524416] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-02-01 3900776] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264] d:\profiles\Default User\Start Menu\Programs\Startup\ ADOPTORPHANPROFILE.VBS [2002-08-01 45708] d:\profiles\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-22 805392] WordWeb Pro.lnk - c:\program files\WordWeb\wweb32.exe [2007-09-22 44384] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "LogonType"= 0 (0x0) "disablecad"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) "GreyMSIAds"= 1 (0x1) "ForceStartMenuLogOff"= 1 (0x1) "NoSMBalloonTip"= 1 (0x1) "NoAutoTrayNotify"= 1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "vwnskbot"= {068AE652-5E58-45F9-BEE8-2C7C4E080225} - c:\windows\vwnskbot.dll [2008-10-21 278528] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-23 08:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.ACDV"= ACDV.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\D:^Profiles^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=d:\profiles\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2007-09-18 13:13 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-05-10 11:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2006-04-07 00:58 1032192 c:\program files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2004-04-26 18:04 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] --a------ 2007-01-02 02:22 3739648 c:\program files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] --a------ 2007-07-25 16:06 2027792 c:\program files\Logitech\QuickCam\Quickcam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] --a------ 2005-07-16 02:48 479232 c:\program files\Google\Gmail Notifier\gnotify.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Netmeeting\\conf.exe"= c:\\Program Files\\Netmeeting\\conf.exe "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "113:TCP"= 113:TCP:10.176.1.190/199:enabled:bDNA "497:TCP"= 497:TCP:10.0.38.5/10:enabled:bDNA2 "6000:TCP"= 6000:TCP:exceed "135:TCP"= 135:TCP:10.160.5.8:enabled:foundscan "137:TCP"= 137:TCP:10.197.24.2:enabled:foundscan2 "138:TCP"= 138:TCP:10.0.125.17:enabled:foundscan3 "139:TCP"= 139:TCP:10.0.125.20:enabled:foundscan4 "1503:TCP"= 1503:TCP:10.0.125.21:enabled:foundscan5 "1720:TCP"= 1720:TCP:10.1.250.11:enabled:foundscan6 "1761:TCP"= 1761:TCP:10.64.2.96:enabled:foundscan7 "2701:TCP"= 2701:TCP:10.128.132.49:enabled:iss1 "2702:TCP"= 2702:TCP:10.128.132.49:enabled:iss2 "43189:TCP"= 43189:TCP:10.160.9.87:enabled:iss3 "4445:TCP"= 4445:TCP:10.0.125.19:enabled:iss4 "6401:TCP"= 6401:TCP:192.168.30.7:enabled:iss5 "1023:UDP"= 1023:UDP:144.190.1.100:enabled:iss6 "445:TCP"= 445:TCP:10.0.125.15:enabled:nmap "123:UDP"= 123:UDP:129.188.57.239:enabled:scanner1 "137:UDP"= 137:UDP:129.188.147.55:enabled:scanner2 "138:UDP"= 138:UDP:192.168.3.1:enabled:scanner3 "2233:UDP"= 2233:UDP:129.188.33.18:enabled:scanner4 "371:UDP"= 371:UDP:10.0.125.13:enabled:scanner5 "407:UDP"= 407:UDP:10.0.125.28:enabled:scanner6 "497:UDP"= 497:UDP:10.193.21.54:enabled:scanner7 "500:UDP"= 500:UDP:10.0.125.11:enabled:scanner8 "600:UDP"= 600:UDP:10.79.40.64:enabled:scanner9 "601:UDP"= 601:UDP:10.79.40.64:enabled:scanner10 "602:UDP"= 602:UDP:10.79.40.64:enabled:scanner11 "603:UDP"= 603:UDP:10.79.40.64:enabled:scanner12 "604:UDP"= 604:UDP:10.79.40.64:enabled:scanner13 "605:UDP"= 605:UDP:10.79.40.64:enabled:scanner14 "606:UDP"= 606:UDP:10.79.40.64:enabled:scanner15 "607:UDP"= 607:UDP:10.79.40.64:enabled:scanner16 "608:UDP"= 608:UDP:10.79.40.64:enabled:scanner17 "609:UDP"= 609:UDP:10.79.40.64:enabled:scanner18 "610:UDP"= 610:UDP:10.79.40.64:enabled:scanner19 "62514:UDP"= 62514:UDP:10.79.40.72,10.82.51.100,10.228.96.22/24,10.228.96.26,10.16.225.208,10.17.193.181,10.17.193.182:enabled:scanner20 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings] "Enabled"= 1 (0x1) R0 a320raid;a320raid;c:\windows\system32\DRIVERS\a320raid.sys [2004-07-29 251842] R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576] R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2007-04-13 590712] R2 WinemaCM Serivce;WinemaCM Serivce;c:\program files\Intel Corporation\IntelWiMAX\UI\wcm_service.exe [2007-04-18 10752] R3 BeceemPHS;BeceemPHS;c:\windows\system32\DRIVERS\BeceemPHS.sys [2007-06-25 23552] R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2002-10-12 9049] R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2005-05-31 87936] R3 IPSECSHM;Nortel IPSECSHM Adapter;c:\windows\system32\DRIVERS\ipsecw2k.sys [2002-10-12 115008] R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2008-05-06 50163] R4 black;black;c:\windows\system32\drivers\BlackCat.sys [2007-06-15 205938] S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2002-10-12 115008] S2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\ISS\Proventia Desktop\vpatch.exe [ ] S3 BeceemNDIS;TarangService;c:\windows\system32\DRIVERS\drxvi211.sys [2007-06-25 180224] S3 ExtranetAccess;Contivity VPN Service;c:\program files\Motorola MVP\Extranet_serv.exe [2002-10-12 626688] S3 MakoNT;MakoNT;c:\windows\system32\drivers\isskboep.sys [2007-06-15 80512] S3 prepdrvr;SMS Process Event Driver;c:\windows\system32\CCM\prepdrv.sys [2007-04-13 23416] S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-19 36676] S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-19 24344] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13c7d8c8-99bb-11dd-b3c6-0016414c14ab}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49a5ddcc-99b6-11dd-b3c5-0016414c14ab}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84483d5b-cf0c-11dc-b36d-444553544200}] \Shell\Autoplay\Command - F:\smss.exe \Shell\AutoRun\command - F:\smss.exe \Shell\Explore\Command - F:\smss.exe \Shell\Open\Command - F:\smss.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca1e362e-995d-11dd-b3c2-444553544200}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f02011bd-96ad-11dd-b3bf-0012cf4844d0}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-CSC-IEPROXY}] c:\ntutils\IE_Proxy_Update\runpack.exe /reinstall /bypasschk [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-2K3}] c:\windows\2k3_USR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-EZCD52}] c:\winnt\System32\REGEZCD5.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-SELFPR}] c:\ntutils\IE_Proxy_Update-Install.EXE [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFC1927-A731-4c34-829B-47EE05ADD199}] "c:\windows\regedit.exe" /s "c:\windows\mot-wmp9.reg" [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C10BF3A1-3FEC-4a94-AAAF-9D6A4B522F63}] "c:\program files\WinZip\wzusr90.exe" /NOICON /NOTRAY [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C2DA1CDC-EF9D-4B7C-91F8-710B17AD44A7}] c:\program files\Microsoft Office\Live Meeting 8\Console\LM_StandaloneConsole_2007.exe /q . Contents of the 'Scheduled Tasks' folder 2008-11-03 c:\windows\Tasks\CheckNetwork.job - c:\program files\Motorola\WirelessControl\NetStatus.vbs [2006-09-20 09:24] . - - - - ORPHANS REMOVED - - - - HKCU-Run-msbfhcaq - c:\windows\system32\byrcjohs.exe HKLM-Run-BVRPLiveUpdate - c:\program files\LiveUpdate\Engine\Setup.exe HKLM-Explorer_Run-apsqtkq00p - d:\profiles\All Users\Application Data\luhihkha\vmnctuhu.exe Notify-mlJAsTjI - mlJAsTjI.dll MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe . ------- Supplementary Scan ------- . FireFox -: Profile - d:\profiles\Administrator\Application Data\Mozilla\Firefox\Profiles\v6br3gs0.default\ . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-03 23:31:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VPatch] "ImagePath"="\"c:\program files\ISS\Proventia Desktop\vpatch.exe\"" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: c:\windows\explorer.exe -> c:\program files\Unlocker\UnlockerHook.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe c:\windows\system32\scardsvr.exe c:\progra~1\Intel\Wireless\Bin\1XConfig.exe c:\program files\ISS\Proventia Desktop\blackd.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\Crypserv.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe c:\windows\system32\oodag.exe c:\program files\ISS\Proventia Desktop\RapApp.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe c:\program files\ISS\Proventia Desktop\RapUISvc.exe c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe c:\windows\system32\rundll32.exe c:\program files\Apoint\hidfind.exe c:\windows\system32\msiexec.exe c:\program files\Apoint\ApntEx.exe c:\windows\system32\wscntfy.exe c:\program files\Symantec AntiVirus\DoScan.exe c:\progra~1\MICROS~3\rapimgr.exe c:\program files\Common Files\logishrd\KHAL2\KHALMNPR.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe . ************************************************************************ . Completion time: 2008-11-03 23:38:31 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-03 18:38:22 Pre-Run: 11,352,309,760 bytes free Post-Run: 11,241,590,784 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=Alwaysoff /fastdetect [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS 475 Following is the HijackThis logfile Logfile of HijackThis v1.99.1 Scan saved at 23:42:01, on 11/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\ISS\Proventia Desktop\blackd.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ISS\Proventia Desktop\RapApp.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe C:\Program Files\Intel Corporation\IntelWiMAX\UI\wcm_service.exe C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Apoint\HidFind.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\oodtray.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Microsoft Office Communicator\Communicator.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\WordWeb\wweb32.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe D:\Profiles\Administrator\Desktop\hijackthis1991.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.mot.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.mot.com:1080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .mot.com;.gi.com;.local;HELP-MOTOROLA.AMER.CSC.COM;HELP-MOTOROLA.AMER.CSC.COM;SHSH-NXS01.AMER.CSC.COM;<local> O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [CSCAdvantage] "C:\Program Files\Help Desk\CSCAdv.exe" /s O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [CSCLogonInfo] C:\WINDOWS\UsrLogon.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1190233681562 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190233660062 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.motorola.com/dana-cac...erSetupSP1.cab O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink Edit Control) - http://compass.mot.com/i/webedit/lledit.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ds.mot.com,corp.mot.com,mot.com,am.mot.com,ea.mot.com,ap.mot.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ds.mot.com,corp.mot.com,mot.com,am.mot.com,ea.mot.com,ap.mot.com O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O21 - SSODL: vwnskbot - {068AE652-5E58-45F9-BEE8-2C7C4E080225} - C:\WINDOWS\vwnskbot.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Motorola MVP\Extranet_serv.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\logishrd\Bluetooth\LBTServ.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: WinemaCM Serivce - Unknown owner - C:\Program Files\Intel Corporation\IntelWiMAX\UI\wcm_service.exe