Stubborn browser hijacker [RESOLVED]

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

Stubborn browser hijacker [RESOLVED]

Options

judypants View Member Profile	Oct 6 2008, 08:22 AM Post #1
New Member Posts: 7 OS: Windows XP	Hi! I've got an IE hijacker that I can't seem to get rid of. I followed the required steps. Malwarebytes seems to solve the problem, but after restarting, it always comes back. Thanks for looking at it. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:17:28 AM, on 10/6/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Novell\XTAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Novell\ZENworks\nalntsrv.exe C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe C:\Program Files\PDF Complete\pdfsvc.exe C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe C:\Program Files\Novell\ZENworks\wm.exe C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe \SYS\PUBLIC\clntrust.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\PDF Complete\pdfsty.exe C:\Program Files\PatchLink\Update Agent\Dagent.exe C:\WINDOWS\system32\dpmw32.exe C:\WINDOWS\system32\NWTRAY.EXE C:\Program Files\PatchLink\Update Agent\pddm.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Novell\ZENworks\NalAgent.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102720 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.9.2:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe" O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe" O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe" O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .zenpatchmgmt (HKLM) O15 - ESC Trusted Zone: .zenpatchmgmt (HKLM) O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222118548484 O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe O23 - Service: PatchLink Update - Novell, Inc. - C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TL Filter Agent 28 - Timeline, Inc. - C:\Program Files\Timeline Analyst\Shared\TLFSAgt28.exe O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe -- End of file - 8615 bytes

emeraldnzl View Member Profile	Oct 7 2008, 05:28 PM Post #2
Trusted Helper Posts: 2,342 OS: XP Pro	Hello judypants, Welcome to Geekstogo. Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line. It is important you carry out instructions exactly in the order they appear. Now Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum. Next Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix. Included in the tutorial are instructions for the installation of a recovery program if you don't already have it - Windows XP Recovery Console. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. When you reboot your computer after installation, you will see the additional option for the Recovery Console present. Don't select Recovery Console as we don't need it. It is only there for emergency recovery use. By default, your main OS is selected here. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal. Once you have completed installation of the the Recovery Console. -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log for further review. So when you come back please post SDFix Report.txt ComboFix.txt and a new HijackThis log It may be that your reports will not all fit in the one post; just use as many posts as necessary, that't fine.

judypants View Member Profile	Oct 8 2008, 10:24 AM Post #3
New Member Posts: 7 OS: Windows XP	Thank you, here they are. I apologize that the recovery console is not installed as it instructs. I thought I installed it but I must have done something wrong. I didn't want to go back and do anything differently though without checking with you. SDFix: Version 1.233 Run by Administrator on Wed 10/08/2008 at 07:43 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-08 07:51:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance] "Last Counter"=dword:00000eec "Last Help"=dword:00000eed "Object List"="3816" scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Novell\\GroupWise\\grpwise.exe"="C:\\Novell\\GroupWise\\grpwise.exe::Enabled:Novell GroupWise" "C:\\Novell\\GroupWise\\notify.exe"="C:\\Novell\\GroupWise\\notify.exe::Enabled:Novell Notify" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files : Files with Hidden Attributes : Mon 23 Jun 2008 625,664 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe" Mon 14 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Mon 15 Sep 2008 1,562,960 A.SH. --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Thu 13 Sep 2007 68,608 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0003.tmp" Thu 13 Sep 2007 68,096 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2489.tmp" Mon 16 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Thu 13 Sep 2007 69,632 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0448.tmp" Thu 13 Sep 2007 75,776 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0510.tmp" Thu 13 Sep 2007 77,824 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0991.tmp" Thu 13 Sep 2007 75,264 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1240.tmp" Thu 13 Sep 2007 72,704 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1368.tmp" Thu 13 Sep 2007 72,192 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1679.tmp" Thu 13 Sep 2007 71,680 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1875.tmp" Thu 13 Sep 2007 74,240 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2395.tmp" Thu 13 Sep 2007 74,752 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3959.tmp" Finished! ComboFix 08-10-07.06 - Administrator 2008-10-08 8:55:26.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.531 [GMT -7:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\Install.txt C:\WINDOWS\system32\C94Vcw.dll C:\WINDOWS\system32\mdm.exe C:\WINDOWS\system32\mywfhit.ini C:\WINDOWS\system32\mywfhit.ini.tmp C:\WINDOWS\system32\rtl60.bpl C:\WINDOWS\system32\x64 C:\WINDOWS\tawisys.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFISICX -------\Legacy_MABIDWE -------\Legacy_NOYTCYR -------\Legacy_ROYTCTM -------\Legacy_SEIUCTOL -------\Legacy_SOXPECA -------\Legacy_TDYDOWKC -------\Legacy_WSLDOEKD -------\Service_seiuctol ((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 ))))))))))))))))))))))))))))))) . 2008-10-08 07:51 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll 2008-10-08 07:51 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-10-08 07:42 . 2008-10-08 07:42 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll 2008-10-08 07:41 . 2008-10-08 07:41 <DIR> d-------- C:\WINDOWS\ERUNT 2008-10-08 07:30 . 2008-10-08 07:53 <DIR> d-------- C:\SDFix 2008-10-02 11:59 . 2008-10-02 12:03 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-10-02 11:55 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002776_.tmp 2008-10-02 11:50 . 2008-10-02 11:50 <DIR> d-------- C:\Documents and Settings\Setup\Application Data\Talkback 2008-10-01 08:36 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-10-01 08:35 . 2008-10-01 08:35 <DIR> d-------- C:\Program Files\Common Files\Java 2008-10-01 08:33 . 2008-10-01 08:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback 2008-10-01 08:23 . 2008-10-01 08:26 <DIR> d-------- C:\Program Files\MSECACHE 2008-09-22 14:20 . 2007-04-25 13:45 <DIR> d--hs---- C:\Documents and Settings\CJones\UserData 2008-09-22 14:20 . 2007-04-25 13:50 <DIR> d-------- C:\Documents and Settings\CJones\Application Data\OfficeUpdate12 2008-09-22 14:20 . 2007-04-25 13:33 <DIR> d-------- C:\Documents and Settings\CJones\Application Data\Microsoft Web Folders 2008-09-22 14:20 . 2008-09-22 14:20 <DIR> d-------- C:\Documents and Settings\CJones 2008-09-22 14:06 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2008-09-22 13:51 . 2008-05-01 07:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-09-22 13:44 . 2008-04-11 12:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-09-22 11:50 . 2008-09-22 11:50 <DIR> d-------- C:\Documents and Settings\Setup\Application Data\Malwarebytes 2008-09-18 14:59 . 2008-09-18 14:59 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2008-09-09 15:27 . 2008-09-11 08:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-09 15:27 . 2008-09-09 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-09 15:27 . 2008-09-09 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-09-09 15:27 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-09 15:27 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-09 13:59 . 2008-10-01 10:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-09-09 11:33 . 2008-09-09 11:33 <DIR> d-------- C:\Program Files\Trend Micro 2008-09-09 07:20 . 2008-09-09 07:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM 2008-09-09 07:11 . 2008-09-09 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-08 15:06 . 2008-09-08 15:06 <DIR> d-------- C:\Program Files\Lavasoft 2008-09-08 15:06 . 2008-09-08 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-09-08 07:13 . 2008-09-09 15:34 <DIR> d-------- C:\WINDOWS\system32\inf . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-08 16:00 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-10-01 15:36 --------- d-----w C:\Program Files\Java 2008-09-08 22:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-08-26 21:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer 2007-04-26 17:33 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat 2007-05-17 18:33 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007051720070518\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 98304] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 86016] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 81920] "PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2006-07-14 279576] "SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824] "NDPS"="C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 32859] "ZENRC Tray Icon"="C:\WINDOWS\system32\zentray.exe" [2005-05-18 40960] "Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-08-12 20530] "Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-08-12 20480] "PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [2005-08-09 394816] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 35328] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-10-07 125368] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "NWTRAY"="NWTRAY.EXE" [2002-03-12 C:\WINDOWS\system32\nwtray.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [2006-06-13 35840] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "CompatibleRUPSecurity"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{763370C4-268E-4308-A60C-D8DA0342BE32}"= "C:\Program Files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification] 2006-05-02 09:17 24576 C:\WINDOWS\system32\novell\xtnotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Novell\\GroupWise\\grpwise.exe"= "C:\\Novell\\GroupWise\\notify.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 pozvk;pozv;C:\WINDOWS\system32\drivers\pozvk.sys [2004-08-04 28960] R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys [2005-05-23 6899] R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [2006-07-14 534040] R2 Remote Management Agent;Novell ZENworks Remote Management Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 167936] R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe [2007-04-25 49152] R2 WNTHW;WNTHW;C:\WINDOWS\system32\DRIVERS\WNTHW.SYS [2007-04-25 9176] R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2006-05-02 61440] S3 SDTHelper;Helper driver for SDT-Tool;C:\Documents and Settings\Administrator\Desktop\WOOT\sdthlpr.sys [ ] S3 TL Filter Agent 28;TL Filter Agent 28;C:\Program Files\Timeline Analyst\Shared\TLFSAgt28.exe [2003-06-11 151552] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\f6slj2nx.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-08 09:00:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher] "ImagePath"="C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\xmlparse.dll -> C:\WINDOWS\system32\NWSHLXNT.dll -> C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Novell\ZENworks\NALNTSRV.EXE C:\Program Files\PatchLink\Update Agent\GravitixService.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Novell\ZENworks\WM.EXE C:\Program Files\PatchLink\Update Agent\dagent.exe WAP\SYS\PUBLIC\CLNTRUST.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Novell\ZENworks\NalAgent.exe . ************************************************************************ . Completion time: 2008-10-08 9:03:41 - machine was rebooted [Administrator] ComboFix-quarantined-files.txt 2008-10-08 16:03:32 Pre-Run: 64,334,704,640 bytes free Post-Run: 64,255,389,696 bytes free 174 --- E O F --- 2008-04-16 16:15:05 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:22:07 AM, on 10/8/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Novell\XTAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Novell\ZENworks\nalntsrv.exe C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe C:\Program Files\PDF Complete\pdfsvc.exe C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe C:\Program Files\Novell\ZENworks\wm.exe \WAP\SYS\PUBLIC\clntrust.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\PDF Complete\pdfsty.exe C:\WINDOWS\system32\dpmw32.exe C:\WINDOWS\system32\NWTRAY.EXE C:\Program Files\PatchLink\Update Agent\pddm.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102720 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.9.2:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe" O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe" O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe" O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .zenpatchmgmt (HKLM) O15 - ESC Trusted Zone: .zenpatchmgmt (HKLM) O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222118548484 O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe O23 - Service: PatchLink Update - Novell, Inc. - C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TL Filter Agent 28 - Timeline, Inc. - C:\Program Files\Timeline Analyst\Shared\TLFSAgt28.exe O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe -- End of file - 7893 bytes

emeraldnzl View Member Profile	Oct 8 2008, 01:12 PM Post #4
Trusted Helper Posts: 2,342 OS: XP Pro	Hi judypants, Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102720 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.9.2:8080 Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Now 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: QUOTE KillAll:: File:: C:\WINDOWS\system32\drivers\pozvk.sys Driver:: pozvk Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply. Next Kaspersky only works if you are using Internet Explorer. Please do an online scan with Kaspersky WebScanner. Click on the Kaspersky Online Scanner button. A box will come up, click Accept, this will allow it to install an ActiveX component and download its latest anti-virus database. (Note: It may take a couple of minutes) Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: * Scan using the following Anti-Virus database: Extended (if available otherwise Standard) * Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. * Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. So when you return please post ComboFix .txt Kaspersky scan results and a fresh HijackThis log

judypants

Oct 9 2008, 09:35 AM

Post #5

New Member

Posts: 7
OS: Windows XP

Hi! Here are the logs, thank you.

ComboFix 08-10-07.06 - Administrator 2008-10-08 13:04:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.507 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\pozvk.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\pozvk.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POZVK
-------\Service_pozvk

((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-08 07:51 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-10-08 07:51 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-10-08 07:42 . 2008-10-08 07:42 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-10-08 07:41 . 2008-10-08 07:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-08 07:30 . 2008-10-08 07:53 <DIR> d-------- C:\SDFix
2008-10-02 11:59 . 2008-10-02 12:03 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-10-02 11:55 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002776_.tmp
2008-10-02 11:50 . 2008-10-02 11:50 <DIR> d-------- C:\Documents and Settings\Setup\Application Data\Talkback
2008-10-01 08:36 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-01 08:35 . 2008-10-01 08:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-01 08:33 . 2008-10-01 08:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-10-01 08:23 . 2008-10-01 08:26 <DIR> d-------- C:\Program Files\MSECACHE
2008-09-22 14:20 . 2007-04-25 13:45 <DIR> d--hs---- C:\Documents and Settings\CJones\UserData
2008-09-22 14:20 . 2007-04-25 13:50 <DIR> d-------- C:\Documents and Settings\CJones\Application Data\OfficeUpdate12
2008-09-22 14:20 . 2007-04-25 13:33 <DIR> d-------- C:\Documents and Settings\CJones\Application Data\Microsoft Web Folders
2008-09-22 14:20 . 2008-09-22 14:20 <DIR> d-------- C:\Documents and Settings\CJones
2008-09-22 14:06 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-22 13:51 . 2008-05-01 07:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-22 13:44 . 2008-04-11 12:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-22 11:50 . 2008-09-22 11:50 <DIR> d-------- C:\Documents and Settings\Setup\Application Data\Malwarebytes
2008-09-18 14:59 . 2008-09-18 14:59 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-09 15:27 . 2008-09-11 08:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 15:27 . 2008-09-09 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 15:27 . 2008-09-09 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-09 15:27 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 15:27 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 13:59 . 2008-10-01 10:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-09 11:33 . 2008-09-09 11:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-09 07:20 . 2008-09-09 07:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-09-09 07:11 . 2008-09-09 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 15:06 . 2008-09-08 15:06 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-08 15:06 . 2008-09-08 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-08 07:13 . 2008-09-09 15:34 <DIR> d-------- C:\WINDOWS\system32\inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-08 19:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-10-01 15:36 --------- d-----w C:\Program Files\Java
2008-09-08 22:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 21:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-04-26 17:33 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2007-05-17 18:33 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007051720070518\index.dat
.

------- Sigcheck -------

2007-03-07 10:40 823296 b8f4db39ca7353752f245379d285c80e C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-04-25 02:08 823808 431defbb4a3d7b0dc062c1b064623a2f C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
2007-06-27 07:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 03:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 16:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 19:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 06:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-22 20:35 827392 41546b396a526918da7995a02ea04e51 C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 09:01 827904 c66402a06b83b036c195242c0c8cf83c C:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB928090$\wininet.dll
2007-01-04 07:05 665088 3ffa1573fc274e5aa7467d03941c45ee C:\WINDOWS\ie7\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 09:27 822784 be43d00d802c92f01c8cc952c6f483f8 C:\WINDOWS\ie7updates\KB931768-IE7\wininet.dll
2007-03-07 10:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 C:\WINDOWS\ie7updates\KB933566-IE7\wininet.dll
2007-04-25 01:41 822784 0586a7f0b2fdb94d624f399d4728e7c8 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 07:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 03:04 824832 774435e499d8e9643ec961a6103c361f C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 16:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 19:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 06:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
2008-04-22 21:16 826368 f6589be784647cfdbc22ea51ccb1a57a C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2008-06-23 09:57 826368 8c13d4a7479fa0a026eda8abce82c0ed C:\WINDOWS\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2GDR\wininet.dll
2008-06-23 09:01 827904 c66402a06b83b036c195242c0c8cf83c C:\WINDOWS\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2QFE\wininet.dll
2008-06-23 09:57 826368 8c13d4a7479fa0a026eda8abce82c0ed C:\WINDOWS\system32\wininet.dll
2008-06-23 09:57 826368 8c13d4a7479fa0a026eda8abce82c0ed C:\WINDOWS\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 81920]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2006-07-14 279576]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"NDPS"="C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="C:\WINDOWS\system32\zentray.exe" [2005-05-18 40960]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-08-12 20530]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-08-12 20480]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [2005-08-09 394816]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 35328]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 C:\WINDOWS\system32\nwtray.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [2006-06-13 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "C:\Program Files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 09:17 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Novell\\GroupWise\\grpwise.exe"=
"C:\\Novell\\GroupWise\\notify.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys [2005-05-23 6899]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [2006-07-14 534040]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 167936]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe [2007-04-25 49152]
R2 WNTHW;WNTHW;C:\WINDOWS\system32\DRIVERS\WNTHW.SYS [2007-04-25 9176]
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2006-05-02 61440]
S3 SDTHelper;Helper driver for SDT-Tool;C:\Documents and Settings\Administrator\Desktop\WOOT\sdthlpr.sys [ ]
S3 TL Filter Agent 28;TL Filter Agent 28;C:\Program Files\Timeline Analyst\Shared\TLFSAgt28.exe [2003-06-11 151552]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 13:30:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ntdll.dll
-> C:\WINDOWS\system32\xmlparse.dll
-> C:\WINDOWS\system32\NWSHLXNT.dll
-> C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\ntdll.dll

PROCESS: C:\WINDOWS\Explorer.exe
-> C:\WINDOWS\system32\ntdll.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\ntdll.dll
.
Completion time: 2008-10-08 13:32:41 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-10-08 20:32:28
ComboFix2.txt 2008-10-08 16:03:42

Pre-Run: 64,226,193,408 bytes free
Post-Run: 64,217,382,912 bytes free

172 --- E O F --- 2008-04-16 16:15:05

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, October 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, October 08, 2008 16:55:28
Records in database: 1299861
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 53097
Threat name: 9
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 00:49:06

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300000.VBN Infected: Trojan-Spy.Win32.Pophot.cgs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D4C0000.VBN Infected: Trojan-Spy.Win32.Pophot.cgs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D4C0001\4DCEA62E.VBN Infected: Trojan-Downloader.Win32.Agent.afls 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E8C0001\4ECEA4DA.VBN Infected: Trojan-GameThief.Win32.WOW.byg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00000.VBN Infected: Trojan-Downloader.Win32.Delf.gff 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00002.VBN Infected: Trojan-Downloader.Win32.Delf.gff 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00004.VBN Infected: Trojan-Spy.Win32.Pophot.cgt 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00005.VBN Infected: Trojan-Spy.Win32.Pophot.cgu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00006.VBN Infected: Trojan-Spy.Win32.Pophot.cgu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00007.VBN Infected: Trojan-Spy.Win32.Pophot.cgs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00008.VBN Infected: Trojan-Proxy.Win32.Agent.awp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\pozvk.sys.vir Infected: Trojan-Downloader.Win32.Agent.agrx 1
C:\WINDOWS\system32\udxfytw.sys Infected: Trojan-Clicker.Win32.VB.cda 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:23 AM, on 10/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Novell\ZENworks\wm.exe
\WAP\SYS\PUBLIC\clntrust.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102720
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.zenpatchmgmt (HKLM)
O15 - ESC Trusted Zone: *.zenpatchmgmt (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222118548484
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: PatchLink Update - Novell, Inc. - C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan