Please help - Outbound to Port 25

[TSC]

Hello dear Gurus,

I hope you can help me. I've tried quite many things to solve the issue myself, but it looks like only gents like you can.

Here's what's happening..

Since a few days, my PC tries to connect to many many external IP addresses, initiating Outbound TCP connections with remote port 25. I'm quite always connected to the Net thru my ADSL line at home.

I noticed the above since Norton Internet Security kept on checking "Outgoing emails" ??? from me, but I wasn't using email.. :(

From that point on, I performed the following. Hope all of this can help you.

1. Full deep scan with Norton Antivirus -> Nothing found.
2. Installed Kaspersky Internet Security and blocked outbound TCP to port 25 just to avoid spamming around.
3. Full deep scan with kaspersky -> Nothing found.
4. Full deep scan with Panda and Online Panda -> Nothing found.
5. Full deep scan with AVG -> Nothing found.
6. Full deep scan with Spybot S&D.... FOUND Spy Sheriff and Removed..!
7. Cleaned files, registry, etc etc with CCleaner several times.
8. Checked again with the firewall :( :( SVCHOST still trying to connect to remote port 25 to many hosts all over the words :(

At this point I run HijackThis V2 and also Deckard's System Scanner

Hereafter and attached all the logs you may need.

Let me thank-you beforehand and wish in the meantime a Merry Xmas and Happy New Year.

TSC

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:49:32, on 21-Dec-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\TSC\My Documents\My Downloads\dss.exe
C:\DOCUME~1\TSC\MYDOCU~1\MYDOWN~1\TSC.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195737244266
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195737386451
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A5E664C-5138-4917-B9A0-756CE6F2BD5E}: NameServer = 85.37.17.4,85.38.28.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2CD6035-35FE-4C29-8211-3856994B914F}: NameServer = 85.37.17.4,85.38.28.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A5E664C-5138-4917-B9A0-756CE6F2BD5E}: NameServer = 85.37.17.4,85.38.28.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: c_iscii32 - C:\WINDOWS\SYSTEM32\c_iscii32.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7612 bytes



Deckard's System Scanner v20071014.68
Run by TSC on 2007-12-21 13:30:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
25: 2007-12-21 12:30:13 UTC - RP25 - Deckard's System Scanner Restore Point
24: 2007-12-21 10:36:42 UTC - RP24 - Removed Panda Antivirus + Firewall 2007
23: 2007-12-21 10:35:31 UTC - RP23 - Before uninstall Panda Antivirus + Firewall 2007
22: 2007-12-21 09:15:25 UTC - RP22 - Installed Panda Antivirus + Firewall 2007
21: 2007-12-21 09:08:18 UTC - RP21 - Removed Kaspersky Internet Security 7.0.


-- First Restore Point --
1: 2007-12-20 07:25:27 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as TSC.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:30:58, on 21-Dec-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\TSC\My Documents\My Downloads\dss.exe
C:\DOCUME~1\TSC\MYDOCU~1\MYDOWN~1\TSC.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195737244266
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195737386451
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A5E664C-5138-4917-B9A0-756CE6F2BD5E}: NameServer = 85.37.17.4,85.38.28.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2CD6035-35FE-4C29-8211-3856994B914F}: NameServer = 85.37.17.4,85.38.28.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A5E664C-5138-4917-B9A0-756CE6F2BD5E}: NameServer = 85.37.17.4,85.38.28.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: c_iscii32 - C:\WINDOWS\SYSTEM32\c_iscii32.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7519 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sr (System Restore Filter Driver) - c:\windows\\systemroot\system32\drivers\sr.sys (file missing)
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 19 SP1>

S3 neokdss - c:\windows\system32\drivers\neokdss.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ScsiAccess - c:\program files\photodex\proshowproducer\scsiaccess.exe
R2 ssoftservice (Cryptainer service) - cryptainersrv.exe <Not Verified; Cypherix Software (India) Pvt. Ltd.; Cryptainer>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-11-21 and 2007-12-21 -----------------------------

2007-12-21 13:29:30 0 dr-h----- C:\Documents and Settings\TSC\Recent
2007-12-21 12:13:57 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2007-12-21 11:54:13 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-21 11:54:11 0 d-------- C:\WINDOWS\LastGood
2007-12-21 10:24:13 0 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2007-12-21 10:20:03 37 --a------ C:\WINDOWS\r007
2007-12-21 10:14:36 0 d-------- C:\Program Files\Panda Software
2007-12-21 10:13:43 0 d-------- C:\Program Files\Common Files\Panda Software
2007-12-20 21:01:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-20 17:20:06 0 d-------- C:\Documents and Settings\TSC\Application Data\GetRightToGo
2007-12-20 14:44:30 0 d-------- C:\Program Files\Kaspersky Lab
2007-12-20 14:44:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-20 14:44:26 18720 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-20 14:44:26 2109216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-20 14:43:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-12-20 11:53:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 08:41:36 0 d-------- C:\Documents and Settings\TSC\Application Data\SpamTest
2007-12-20 08:40:22 0 d-------- C:\kav
2007-12-17 17:53:50 53248 --a------ C:\WINDOWS\system32\vbalIcoM6.dll <Not Verified; vbAccelerator; vbAccelerator IconMenu DLL - Add Icons to VB Menus>
2007-12-17 17:53:33 37136 --a------ C:\WINDOWS\VIREG32.EXE <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
2007-12-12 10:07:14 0 d-------- C:\Program Files\CCleaner
2007-12-09 21:51:24 0 d-------- C:\Documents and Settings\TSC\Application Data\Mp3tag
2007-12-09 18:59:02 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-09 18:58:59 0 d-------- C:\Program Files\Your Uninstaller 2008
2007-12-04 15:26:08 0 d-------- C:\Documents and Settings\All Users\Application Data\espionServerData
2007-12-04 15:21:29 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-04 15:15:09 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-04 14:00:30 40960 --a------ C:\WINDOWS\system32\rsnpstd2.dll <Not Verified; ; ResourceDLL>
2007-12-04 14:00:28 0 d-------- C:\Program Files\Common Files\snpstd2
2007-12-04 11:17:00 0 d-------- C:\Program Files\Common Files\EZB Systems
2007-12-04 11:16:59 0 d-------- C:\Program Files\UltraISO
2007-12-04 10:43:44 0 d-------- C:\Documents and Settings\TSC\Application Data\Nero
2007-12-04 10:26:23 0 d-------- C:\Documents and Settings\TSC\Application Data\Ulead Systems
2007-12-04 10:18:40 56832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2007-12-04 10:18:40 144384 --a------ C:\WINDOWS\system32\Iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2007-12-04 10:18:08 0 d-------- C:\Program Files\SmartSound Software
2007-12-04 10:18:08 0 d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2007-12-04 10:17:19 86016 --a------ C:\WINDOWS\unvise32qt.exe <Not Verified; MindVision; Installer VISE 2.8.3>
2007-12-04 10:17:07 0 d-------- C:\WINDOWS\system32\QuickTime
2007-12-04 10:17:07 0 d-------- C:\Program Files\QuickTime
2007-12-04 10:17:07 0 d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-12-04 10:16:39 73728 --a------ C:\WINDOWS\system32\mplaw7.dll
2007-12-04 10:16:39 61440 --a------ C:\WINDOWS\system32\mplam6.dll
2007-12-04 10:16:39 73728 --a------ C:\WINDOWS\system32\mplaa6.dll
2007-12-04 10:16:39 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-12-04 10:15:10 0 d-------- C:\Program Files\Common Files\SONY Digital Images
2007-12-04 10:15:08 0 d-------- C:\Program Files\Common Files\Ulead Systems
2007-12-04 10:15:07 0 d-------- C:\Program Files\Ulead Systems
2007-12-04 10:15:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-04 10:15:00 0 d-------- C:\WINDOWS\system32\windows media
2007-12-04 10:14:46 0 d-------- C:\Program Files\Windows Media Components
2007-12-04 00:36:58 0 d-------- C:\Program Files\Common Files\SWF Studio
2007-12-04 00:03:07 0 d-------- C:\Documents and Settings\TSC\Application Data\vlc
2007-12-03 15:59:55 0 d-------- C:\Documents and Settings\TSC\Application Data\Symantec
2007-12-03 15:47:47 0 d-------- C:\WINDOWS\system32\URTTEMP
2007-12-03 15:10:43 215144 --a------ C:\WINDOWS\patchw32.dll
2007-12-03 15:09:31 215144 --a------ C:\WINDOWS\pw32a.dll
2007-12-03 13:41:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-03 13:40:37 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-03 11:07:43 0 d-------- C:\Documents and Settings\TSC\Application Data\Help
2007-12-02 23:58:16 0 d-------- C:\Program Files\Microsoft Works
2007-11-30 20:14:14 0 d-------- C:\Data
2007-11-29 14:17:49 0 d-------- C:\Documents and Settings\LocalService\Application Data\Ahead
2007-11-28 15:19:03 0 d-------- C:\Documents and Settings\TSC\Application Data\TomTom
2007-11-28 15:18:52 0 d-------- C:\Documents and Settings\All Users\Application Data\TomTom
2007-11-28 15:18:24 0 d-------- C:\Program Files\TomTom HOME 2
2007-11-28 11:56:35 0 d-------- C:\Documents and Settings\TSC\Application Data\skypePM
2007-11-28 11:56:35 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-28 11:56:18 0 d-------- C:\Program Files\Skype
2007-11-28 11:56:17 0 d-------- C:\Program Files\Common Files\Skype
2007-11-28 11:55:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-11-28 11:33:05 0 d-------- C:\Program Files\PFE32
2007-11-27 21:29:20 176235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2007-11-27 21:29:10 0 d-------- C:\WINDOWS\PrimoPDF
2007-11-27 21:29:09 0 d-------- C:\Program Files\activePDF
2007-11-27 20:30:45 0 d-------- C:\Documents and Settings\TSC\Application Data\Leadertech
2007-11-27 20:29:11 0 d-------- C:\Program Files\Diskeeper Corporation
2007-11-27 20:27:00 0 d-a------ C:\Program Files\DivFix
2007-11-27 20:24:50 0 d-------- C:\Program Files\VideoLAN
2007-11-27 14:13:38 0 d-------- C:\Program Files\Photodex Presenter
2007-11-27 14:13:38 0 d-------- C:\Documents and Settings\TSC\Application Data\Netscape
2007-11-27 14:13:38 0 d-------- C:\Documents and Settings\TSC\Application Data\Mozilla
2007-11-27 14:13:05 0 d-------- C:\Program Files\Photodex
2007-11-27 14:11:30 0 d-------- C:\Documents and Settings\TSC\Application Data\Photodex
2007-11-27 13:56:23 0 d-------- C:\Program Files\Hoversnap
2007-11-27 13:55:30 0 d-------- C:\Program Files\Mp3tag
2007-11-27 13:55:14 0 d-------- C:\Program Files\MP3Gain
2007-11-27 13:53:38 0 d-------- C:\Program Files\GuerillaSoft
2007-11-27 13:45:33 0 d-------- C:\Documents and Settings\TSC\Application Data\SmartFTP
2007-11-27 13:45:21 0 d-------- C:\Program Files\SmartFTP Client
2007-11-27 13:44:55 0 d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-11-27 13:41:18 0 d-------- C:\Documents and Settings\TSC\Application Data\Skype
2007-11-27 13:34:30 0 d-------- C:\Program Files\Dnote Software
2007-11-27 13:18:59 0 d-------- C:\Temp
2007-11-27 13:09:56 0 d-------- C:\Documents and Settings\TSC\Application Data\Ahead
2007-11-27 13:07:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-27 13:07:23 0 d-------- C:\Program Files\Nero
2007-11-27 13:07:23 0 d-------- C:\Program Files\Common Files\Ahead
2007-11-27 11:00:09 74240 --a------ C:\WINDOWS\system32\cryptainersrv.exe <Not Verified; Cypherix Software (India) Pvt. Ltd.; Cryptainer>
2007-11-27 11:00:08 0 d-------- C:\Program Files\Cryptainer
2007-11-26 23:24:39 0 d-------- C:\Program Files\Alcohol Soft
2007-11-26 23:22:40 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-26 23:15:10 0 d-------- C:\Program Files\WinMSS
2007-11-26 23:11:53 0 d-------- C:\Program Files\MCW Technologies
2007-11-26 22:49:16 0 d-------- C:\Program Files\ImageShack
2007-11-26 22:45:06 0 d--h----- C:\WINDOWS\PIF
2007-11-26 21:58:29 0 d-------- C:\Program Files\IPSC
2007-11-26 21:55:30 0 d-------- C:\Documents and Settings\TSC\Application Data\Printer Info Cache
2007-11-26 21:55:29 0 d-------- C:\Documents and Settings\TSC\Application Data\Image Zone Express
2007-11-26 21:55:11 0 d-------- C:\Program Files\Common Files\HP
2007-11-25 13:53:04 0 d-------- C:\Documents and Settings\TSC\Application Data\Adobe
2007-11-25 13:51:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-11-25 13:51:17 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-25 11:13:39 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-11-25 11:13:13 0 d-------- C:\WINDOWS\SHELLNEW
2007-11-25 11:11:24 0 d-------- C:\Program Files\Microsoft.NET
2007-11-25 11:09:30 0 dr-h----- C:\MSOCache
2007-11-25 10:47:03 0 d-------- C:\Program Files\WIDCOMM
2007-11-25 10:27:06 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-25 10:25:04 0 d-------- C:\WINDOWS\IIS Temporary Compressed Files
2007-11-25 10:24:30 0 d-------- C:\WINDOWS\system32\Cache
2007-11-25 10:24:08 0 d-------- C:\WINDOWS\system32\FxsTmp
2007-11-25 10:20:28 0 d-------- C:\Inetpub
2007-11-24 10:29:40 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-11-24 10:26:48 0 d-------- C:\Program Files\Hewlett-Packard
2007-11-24 10:25:01 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-11-24 10:22:32 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2007-11-24 10:22:32 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2007-11-24 10:22:32 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2007-11-24 10:22:32 73728 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2007-11-24 10:22:32 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2007-11-24 10:22:32 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2007-11-24 10:10:37 21124 -----n--- C:\WINDOWS\hpomdl07.dat
2007-11-24 10:10:37 112831 --a------ C:\WINDOWS\hpoins07.dat
2007-11-24 10:10:26 0 d-------- C:\Documents and Settings\TSC\Application Data\HP
2007-11-23 13:33:49 0 d-------- C:\WINDOWS\l2schemas
2007-11-23 12:55:43 0 d-------- C:\Documents and Settings\TSC\Application Data\GetRight Pro
2007-11-23 12:21:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Iomatic
2007-11-23 12:19:31 0 d-------- C:\WINDOWS\pss
2007-11-23 12:04:16 0 d--h----- C:\Documents and Settings\eMule_Secure\Templates
2007-11-23 12:04:16 0 dr------- C:\Documents and Settings\eMule_Secure\Start Menu
2007-11-23 12:04:16 0 dr-h----- C:\Documents and Settings\eMule_Secure\SendTo
2007-11-23 12:04:16 0 d--h----- C:\Documents and Settings\eMule_Secure\Recent
2007-11-23 12:04:16 0 d--h----- C:\Documents and Settings\eMule_Secure\PrintHood
2007-11-23 12:04:16 0 d--h----- C:\Documents and Settings\eMule_Secure\NetHood
2007-11-23 12:04:16 0 d-------- C:\Documents and Settings\eMule_Secure\My Documents
2007-11-23 12:04:16 0 d--h----- C:\Documents and Settings\eMule_Secure\Local Settings
2007-11-23 12:04:16 0 d-------- C:\Documents and Settings\eMule_Secure\Favorites
2007-11-23 12:04:16 0 d-------- C:\Documents and Settings\eMule_Secure\Desktop
2007-11-23 12:04:16 0 d--hs---- C:\Documents and Settings\eMule_Secure\Cookies
2007-11-23 12:04:16 0 dr-h----- C:\Documents and Settings\eMule_Secure\Application Data
2007-11-23 12:04:16 0 d---s---- C:\Documents and Settings\eMule_Secure\Application Data\Microsoft
2007-11-23 12:04:15 262144 --ah----- C:\Documents and Settings\eMule_Secure\NTUSER.DAT
2007-11-23 12:02:00 0 d-------- C:\Program Files\eMule
2007-11-23 11:55:41 0 d-------- C:\Program Files\GetRight
2007-11-23 11:44:30 0 d-------- C:\Program Files\HP
2007-11-23 11:44:27 0 d-------- C:\WINDOWS\Downloaded Installations
2007-11-23 09:51:59 0 d-------- C:\Program Files\MSXML 6.0
2007-11-23 09:16:46 0 d-------- C:\Documents and Settings\TSC\Application Data\URSoft
2007-11-23 08:56:05 0 d-------- C:\Program Files\MSBuild
2007-11-23 08:52:37 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-11-23 08:52:00 0 d-------- C:\Program Files\Reference Assemblies
2007-11-23 08:47:44 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-23 08:46:40 0 d-------- C:\WINDOWS\system32\LogFiles
2007-11-23 08:46:40 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-23 08:45:20 0 d-------- C:\WINDOWS\RegisteredPackages
2007-11-23 08:23:39 0 d-------- C:\WINDOWS\network diagnostic
2007-11-22 19:12:56 0 d-------- C:\WINDOWS\Sun
2007-11-22 19:11:45 0 d-------- C:\Program Files\Java
2007-11-22 19:11:43 0 d-------- C:\Program Files\Common Files\Java
2007-11-22 19:04:39 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2007-11-22 19:03:07 0 d-------- C:\WINDOWS\Prefetch
2007-11-22 18:26:35 0 d-------- C:\Program Files\messenger
2007-11-22 18:26:16 0 d-------- C:\WINDOWS\provisioning
2007-11-22 18:26:16 0 d-------- C:\WINDOWS\peernet
2007-11-22 18:24:38 0 d-------- C:\WINDOWS\ServicePackFiles
2007-11-22 18:18:32 0 d-------- C:\WINDOWS\EHome
2007-11-22 18:15:34 755200 --a------ C:\WINDOWS\system32\Ir50_32.dll <Not Verified; Intel Corporation; Intel Indeo® video 5.11>
2007-11-22 17:45:07 32356 --a------ C:\WINDOWS\system32\pusbfd1.sys <Not Verified; Phoenix Technologies K.K.; USB FDD DRIVER>
2007-11-22 17:44:04 0 d-------- C:\Documents and Settings\TSC\Application Data\Macromedia
2007-11-22 17:43:20 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-11-22 17:34:58 0 d-------- C:\Program Files\Synaptics
2007-11-22 17:32:18 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2007-11-22 17:32:17 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2007-11-22 17:32:12 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2007-11-22 17:32:11 0 d-------- C:\WINDOWS\VirtualEar
2007-11-22 17:32:08 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2007-11-22 17:32:08 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2007-11-22 17:32:08 0 d-------- C:\Program Files\Analog Devices
2007-11-22 17:32:07 44 --a------ C:\WINDOWS\system32\msssc.dll
2007-11-22 17:14:26 0 d-------- C:\Documents and Settings\TSC\Application Data\Sun
2007-11-22 14:54:55 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-22 14:37:14 0 d-------- C:\Program Files\xp-AntiSpy
2007-11-22 14:30:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-11-22 14:28:05 0 d-------- C:\WINDOWS\system32\PreInstall
2007-11-22 14:28:01 0 d--h----- C:\WINDOWS\$hf_mig$
2007-11-22 14:27:09 0 d-------- C:\WINDOWS\system32\bits
2007-11-22 14:22:19 0 d-------- C:\Program Files\Common Files\ODBC
2007-11-22 14:22:16 0 d-------- C:\Program Files
2007-11-22 14:22:16 0 d-------- C:\Program Files\Common Files
2007-11-22 14:22:16 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-11-22 14:21:53 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-11-22 14:21:53 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-11-22 14:21:53 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-11-22 14:21:53 0 d--h----- C:\Documents and Settings\Default User\Recent
2007-11-22 14:21:53 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-11-22 14:21:53 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-11-22 14:21:53 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-11-22 14:21:53 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-11-22 14:21:53 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-11-22 14:21:53 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-11-22 14:21:53 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-11-22 14:21:53 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-11-22 14:21:53 0 d-------- C:\Documents and Settings\All Users\Start Menu
2007-11-22 14:21:53 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-11-22 14:21:53 0 dr------- C:\Documents and Settings\All Users\Documents
2007-11-22 14:21:53 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-11-22 14:21:42 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-11-22 14:21:42 0 d-------- C:\WINDOWS\system32\CatRoot
2007-11-22 14:21:36 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-11-22 14:21:36 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-11-22 14:21:36 0 d--h----- C:\Documents and Settings\All Users\Application Data
2007-11-22 14:21:36 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-11-22 14:21:17 0 d-------- C:\Documents and Settings
2007-11-22 14:16:53 0 d-------- C:\WINDOWS
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\WinSxS
2007-11-22 14:16:53 0 dr------- C:\WINDOWS\Web
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\twain_32
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\wins
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\wbem
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\usmt
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\spool
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\ShellExt
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\Setup
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\ras
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\oobe
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\npp
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\mui
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\inetsrv
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\IME
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\icsxml
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\ias
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\export
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\drivers
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-11-22 14:16:53 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\dhcp
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\config
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\3076
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\2052
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\1054
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\1042
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\1041
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\1037
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\1033
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\1031
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\1028
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system32\1025
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\system
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\security
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\Resources
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\repair
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\mui
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\msapps
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\msagent
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\Media
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\java
2007-11-22 14:16:53 0 d--h----- C:\WINDOWS\inf
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\ime
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\Help
2007-11-22 14:16:53 0 dr--s---- C:\WINDOWS\Fonts
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\Driver Cache
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\Debug
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\Cursors
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\Connection Wizard
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\Config
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\AppPatch
2007-11-22 14:16:53 0 d-------- C:\WINDOWS\addins
2007-11-22 14:14:10 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-11-22 14:13:59 0 d--hs---- C:\Documents and Settings\TSC\UserData
2007-11-22 14:02:10 970752 -ra------ C:\WINDOWS\system32\W70MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 7100 Adapter>
2007-11-22 14:02:09 0 d-------- C:\Program Files\Intel
2007-11-22 14:01:18 0 d-------- C:\Program Files\ATI Technologies
2007-11-22 14:00:26 0 d-------- C:\WINDOWS\OPTIONS
2007-11-22 13:59:51 0 d-------- C:\Documents and Settings\TSC\Bluetooth Software
2007-11-22 13:59:36 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-11-22 13:58:45 0 d---s---- C:\WINDOWS\system32\Microsoft
2007-11-22 13:58:26 0 d-------- C:\Program Files\HPQ
2007-11-22 13:58:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-22 13:57:48 0 d-------- C:\Program Files\Common Files\InstallShield
2007-11-22 13:57:04 0 d--hs---- C:\WINDOWS\Installer
2007-11-22 13:57:01 0 d-------- C:\Documents and Settings\TSC\Application Data\Identities
2007-11-22 13:56:54 0 d--h----- C:\Documents and Settings\TSC\Templates
2007-11-22 13:56:54 0 d-------- C:\Documents and Settings\TSC\Start Menu
2007-11-22 13:56:54 0 dr-h----- C:\Documents and Settings\TSC\SendTo
2007-11-22 13:56:54 0 d--h----- C:\Documents and Settings\TSC\PrintHood
2007-11-22 13:56:54 3932160 --ah----- C:\Documents and Settings\TSC\NTUSER.DAT
2007-11-22 13:56:54 0 d--h----- C:\Documents and Settings\TSC\NetHood
2007-11-22 13:56:54 0 dr------- C:\Documents and Settings\TSC\My Documents
2007-11-22 13:56:54 0 d--h----- C:\Documents and Settings\TSC\Local Settings
2007-11-22 13:56:54 0 dr------- C:\Documents and Settings\TSC\Favorites
2007-11-22 13:56:54 0 d-------- C:\Documents and Settings\TSC\Desktop
2007-11-22 13:56:54 0 d--hs---- C:\Documents and Settings\TSC\Cookies
2007-11-22 13:56:54 0 d--h----- C:\Documents and Settings\TSC\Application Data
2007-11-22 13:54:43 0 d--hs---- C:\System Volume Information
2007-11-22 13:54:41 1572864 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-11-22 13:54:41 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-11-22 13:54:41 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-11-22 13:54:41 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-11-22 13:54:41 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-11-22 13:54:40 1572864 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-11-22 13:54:40 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-11-22 13:54:40 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2007-11-22 13:54:40 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-11-22 13:54:40 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-11-22 13:47:15 0 d-------- C:\WINDOWS\system32\xircom
2007-11-22 13:47:15 0 d-------- C:\Program Files\microsoft frontpage
2007-11-22 13:46:17 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-11-22 13:46:09 0 -rahs---- C:\MSDOS.SYS
2007-11-22 13:46:09 0 -rahs---- C:\IO.SYS
2007-11-22 13:46:09 0 --a------ C:\CONFIG.SYS
2007-11-22 13:46:09 0 --a------ C:\AUTOEXEC.BAT
2007-11-22 13:45:14 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-11-22 13:45:04 0 dr------- C:\WINDOWS\Offline Web Pages
2007-11-22 13:45:04 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-11-22 13:44:34 0 d-------- C:\WINDOWS\system32\DirectX
2007-11-22 13:43:56 0 d---s---- C:\WINDOWS\Tasks
2007-11-22 13:43:54 0 d-------- C:\Program Files\Common Files\MSSoap
2007-11-22 13:43:50 0 d-------- C:\WINDOWS\srchasst
2007-11-22 13:43:49 0 d-------- C:\WINDOWS\system32\Macromed
2007-11-22 13:43:47 0 d-------- C:\Program Files\Movie Maker
2007-11-22 13:43:43 0 d-------- C:\WINDOWS\system32\Restore
2007-11-22 13:43:43 0 d-------- C:\WINDOWS\PCHealth
2007-11-22 13:43:07 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-11-22 13:42:46 0 d-------- C:\WINDOWS\Registration
2007-11-22 13:42:37 0 d-------- C:\Program Files\Online Services
2007-11-22 13:42:25 0 d-------- C:\Program Files\MSN Gaming Zone
2007-11-22 13:41:50 0 d-------- C:\Program Files\Windows NT
2007-11-22 13:41:48 0 d-------- C:\WINDOWS\system32\MsDtc
2007-11-22 13:41:47 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2007-11-27 13:48:53 2528 --a------ C:\Documents and Settings\TSC\Application Data\$_hpcst$.hpc
2007-11-26 21:40:23 2059 --a------ C:\Documents and Settings\TSC\Application Data\HPSU_48BitScanUpdate.log
2007-11-26 21:33:09 66588 --a------ C:\Documents and Settings\TSC\Application Data\Update_HP_RedboxHprblog_HPSU.log
2007-11-26 21:31:41 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll <Not Verified; Hewlett Packard; Hewlett Packard Rediscovery Library>
2007-11-25 10:32:37 358 --a------ C:\Documents and Settings\TSC\Application Data\Hewlett-PackardHP PSC 1500 series1195896581_UI.log
2007-11-25 10:32:37 294 --a------ C:\Documents and Settings\TSC\Application Data\Hewlett-PackardHP PSC 1500 series1195896581_PROTOCOL.log
2007-11-25 10:32:33 0 --a------ C:\Documents and Settings\TSC\Application Data\Hewlett-PackardHP PSC 1500 series1195896581_API.log
2007-11-22 14:21:53 62 --ahs---- C:\Documents and Settings\TSC\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [20-Jan-04 21:10]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [05-Oct-04 15:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05-Oct-04 15:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [17-Jul-03 13:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25-Sep-07 01:11]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [14-Oct-04 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [23-Sep-04 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11-May-05 23:12]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10-Oct-07 19:51]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12-Jan-06 15:40]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [31-Oct-07 10:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04-Dec-07 10:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [13-Nov-06 13:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-Aug-04 08:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [12-Sep-03 11:42:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11-May-05 23:23:26]
Start GetRight.lnk - C:\Program Files\GetRight\getright.exe [23-Nov-07 12:54:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoActiveDesktop"=0 (0x0)
"NoSharedDocuments"=01000000
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)
"NoSMMyPictures"=01000000
"NoViewOnDrive"=0 (0x0)
"NoDesktopCleanupWizard"=1 (0x1)
"NoActiveDesktopChanges"=0 (0x0)
"NoTaskGrouping"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoStrCmpLogical"=00000000
"ForceActiveDesktopOn"=0 (0x0)
"NoUserNameInStartMenu"=1 (0x1)
"Intellimenus"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c_iscii32]
c_iscii32.dll 23-Jul-04 03:53 8704 C:\WINDOWS\system32\c_iscii32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - GLIIMJITJQNL



-- Hosts -----------------------------------------------------------------------

127.0.0.1 webbrowser.tv
127.0.0.1 www.webbrowser.tv
127.0.0.1 urawa.cool.ne.jp
127.0.0.1 by.ru
127.0.0.1 www.by.ru
127.0.0.1 f*ckdenniss.com
127.0.0.1 f*cknicepics.com
127.0.0.1 free-f*cking-video.com
127.0.0.1 needf*cknow.com
127.0.0.1 satisf*cktion.net

20 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-12-21 13:32:16 ------------

[TSC]

Hello,

I wanted to add a new piece of information. The worm has changed behaviour. After I blocked port 25 TCP outbound, it started trying to connect to port 80 Outbound TCP and no more tried with port 25. Looks like it detected that I was blocking port 25..

I created a new firewall rule to block SVCHOST connect to remote port 80 as well..

PLEASE HELP!!

Thank-you!

TSC

[TSC]

Hi there, I still have this issue, is there any one willing to help, thank-you, and have a great new Year start.

TSC

[LonnyRJones]

Welcome, sorry for the delay
Please submit this file C:\WINDOWS\system32\c_iscii32.dll
here http://www.bleepingcomputer.com/submit-malware.php?

Thanks

Post a combofix log
1. Download this file - combofix.exe to your desktop
http://www.forospyware.com/sUBs/Beta/ComboFix.exe
alternate link
http://subs.geekstogo.com/Beta/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
If you already have combofix re-download please as it is updated often.

[TSC]

Hi, first of all thank-you for your help, and pls. don't apologize, you probably have hundreds of people to help..

OK I posted the dll file as you asked for.

I also run ComboFix as you instructed me to do. Attached here is the log file. A couple of additional information:

First, once the ComboFix has finished, say 1 minute after that, Kaspersky Internet Security 7.0 signalled me that it is infected with Heur.Invader virus. I took it as a false positive. However, I have now deleted the file.. just to be sure.

Second, after a few seconds, again Kaspersky signalled me that Regedit.exe was attempting to modify the registry it did so for say, 5 or 6 times, and I let it modify it for a few items, and other I have denied. In case it is needed, I should have these in Kasperky logs, I presume.

That's all. Again thanks for the great help.

TSC

[LonnyRJones]

Download this file - combofix.exe to your desktop (dont run it yet)
http://www.forospyware.com/sUBs/Beta/ComboFix.exe

Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents
of the code box below into a new text file. (dont include the word code)
Save it as file name: cfscript.txt

Code:

file::
registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c_iscii32]
Rootkit::
C:\WINDOWS\system32\c_iscii32.dll
C:\WINDOWS\system32\fyxp.dll
Killall::

This time lets have you disconnect from the internet and temporaraly turn off kaspersky, turn off its resident protection..


http://users.pandora.be/bluepatchy/m...s/CFScript.gif
As in the picture above drag and drop cfscript.txt onto combofix.exe
when it is finished a text will open, post it.
Dont forget to turn kaspersky on before connecting to the internet

[TSC]

Thank-you!

Run ComboFix as you indicated, using the file as parameters.

Attached is the log file.

Thanks!

TSC

[LonnyRJones]

Id like a copy of this file please
C:\QooBox\Quarantine\C\windows\system32\fyxp.dll.vir
submit to same url as before

Hows the PC running ?

[TSC]

Ehm.... I believe I have a bad news. I have deleted such directory.

:-(

However, let me tell you a good thing. I have looked into the firewall logs. If you remember, I had created a rule to block in/out TCP connections to ports 80 and 25. That rule was triggered every second or so by the malware. Since we started using ComboFix or after it last run, the firewall is not being triggered anymore.. :)

It may be too early to celebrate, but...

Sorry for deleting such file.. Kaspersky again signalled that some of the files in there contained viruses and I thought you did not need them. I know "users" sometimes create more troubles than viruses...

TSC