Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

www.Antispyware.net [RESOLVED]


  • This topic is locked This topic is locked

#1
hope9300

hope9300

    New Member

  • Member
  • Pip
  • 8 posts
It has taken over my desktop, creates popups and disabled my task manager.
This is my work computer and I do not know what to do, please help.


Here is my hijack this file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:39 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\mrofinu72.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://corp.home.ge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://corp.home.ge.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by General Electric
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://corp.setpac.ge.com/pac.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cin01.proxy.corporate.ge.com:80;https=cin01.proxy.corporate.ge.com:80;ftp=c
in01.proxy.corporate.ge.com:80
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O1 - Hosts: 135.108.57.19 geect
O1 - Hosts: 135.108.57.19 geacqt
O1 - Hosts: 135.108.57.19 geecd
O1 - Hosts: 135.108.57.19 geacqd
O1 - Hosts: 135.108.57.19 newgetpct
O1 - Hosts: 135.108.57.179 geecors
O1 - Hosts: 135.108.57.179 gepayrollors
O1 - Hosts: 135.108.57.92 cvgge15
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: XBTB01629 - {8560380C-8653-4521-8262-7F6A4D3D4B0F} - C:\Program Files\Kintana Toolbar\kintana.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\system32\SCTOOL~1.DLL
O3 - Toolbar: Kintana Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Kintana Toolbar\kintana.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL,VerifyStartMenu
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - Global Startup: Bluetooth Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://corp.home.ge.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.ge.com (HKLM)
O15 - Trusted Zone: *.gebrandcentral.com (HKLM)
O15 - Trusted Zone: *.gedigitalmedia.com (HKLM)
O15 - Trusted Zone: *.gemediacentral.com (HKLM)
O15 - Trusted Zone: *.genewscenter.com (HKLM)
O15 - Trusted Zone: *.geolympiccentral.com (HKLM)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200319556015
O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://americascomm0...STJNILoader.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace...ronGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nam.corp.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = nam.corp.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nam.corp.ge.com
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 12523 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello hope9300

Welcome to G2Go. :)
=====================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
hope9300

hope9300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Kahdah,

Thanks for the fast reply!

Here is my combofix log

ComboFix 08-03-01.3 - 200013323 2008-03-01 21:39:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1413 [GMT -5:00]
Running from: D:\Documents and Settings\200013323\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\x64
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
hxxp://wsus.ad.ge.com
.
((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.

2008-03-01 18:19 . 2008-03-01 18:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 17:58 . 2008-03-01 17:58 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-01 16:28 . 2008-03-01 16:28 89,099 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-01 16:28 . 2008-03-01 16:28 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-02-15 00:57 . 2008-02-15 17:47 <DIR> d-------- C:\CLIENTUS
2008-02-15 00:28 . 2008-02-15 00:51 <DIR> d-------- C:\CLIENTWS
2008-02-14 17:44 . 2008-02-14 17:44 26,155 --a------ C:\WINDOWS\system32\drivers\LKDE0.tmp
2008-02-13 10:30 . 2008-02-13 10:30 26,155 --a------ C:\WINDOWS\system32\drivers\LKD83.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 02:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-02 01:37 --------- d-----w C:\Program Files\Nortel Networks
2008-02-21 18:47 --------- d-----w D:\Documents and Settings\200013323\Application Data\Sametime
2008-02-21 03:40 30,267 ----a-w C:\WINDOWS\system32\drivers\safeboot.sys
2008-02-21 03:40 --------- d-----w C:\Program Files\SafeBoot
2008-02-16 13:53 --------- d-----w D:\Documents and Settings\200013323\Application Data\U3
2008-01-31 13:56 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD26A.tmp
2008-01-31 01:55 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD265.tmp
2008-01-30 13:55 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD18D.tmp
2008-01-30 01:55 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD188.tmp
2008-01-29 13:54 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD11E.tmp
2008-01-29 01:54 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD118.tmp
2008-01-28 13:53 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD82.tmp
2008-01-25 19:58 --------- d-----w D:\Documents and Settings\200013323\Application Data\Move Networks
2008-01-25 10:11 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD383.tmp
2008-01-24 22:11 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD37E.tmp
2008-01-24 10:11 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD2F3.tmp
2008-01-23 22:10 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD294.tmp
2008-01-23 10:10 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD210.tmp
2008-01-22 22:10 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD1B1.tmp
2008-01-22 21:27 --------- d-----w C:\Program Files\MTBWIN
2008-01-21 21:05 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD11F.tmp
2008-01-19 21:10 26,155 ----a-w C:\WINDOWS\system32\drivers\LKDE4.tmp
2008-01-18 14:46 --------- d-----w C:\Program Files\MSECache
2008-01-18 11:30 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD1DC.tmp
2008-01-17 23:29 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD1D7.tmp
2008-01-17 11:29 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD147.tmp
2008-01-16 23:29 26,155 ----a-w C:\WINDOWS\system32\drivers\LKDE7.tmp
2008-01-15 15:27 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD97.tmp
2008-01-14 14:06 --------- d-----w C:\Program Files\Java
2008-01-14 13:18 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD87.tmp
2008-01-11 07:37 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD48D.tmp
2008-01-10 19:37 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD47F.tmp
2008-01-10 07:37 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD31E.tmp
2008-01-09 19:36 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD30E.tmp
2008-01-09 07:36 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD1AC.tmp
2008-01-08 19:35 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD19E.tmp
2008-01-08 07:35 26,155 ----a-w C:\WINDOWS\system32\drivers\LKDBF.tmp
2008-01-07 19:35 26,155 ----a-w C:\WINDOWS\system32\drivers\LKDB6.tmp
2008-01-04 18:41 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD439.tmp
2008-01-04 06:40 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD37C.tmp
2008-01-03 18:40 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD340.tmp
2008-01-03 06:39 26,155 ----a-w C:\WINDOWS\system32\drivers\LKD2D7.tmp
2008-01-02 18:39 26,155 ----a-w C:\WINDOWS\system32\drivers\LKDF9.tmp
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 01:07 3,059,200 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
1999-06-17 22:12 652,332 ----a-w C:\WINDOWS\inf\DRVIDX.BIN
1999-06-17 22:12 195,530 ----a-w C:\WINDOWS\inf\DRVDATA.BIN
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8560380C-8653-4521-8262-7F6A4D3D4B0F}]
2007-05-17 15:53 1216512 --a------ C:\Program Files\Kintana Toolbar\kintana.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-16 18:50 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-16 18:50 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-16 18:50 138008]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 16:26 303104 C:\WINDOWS\stsystra.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 10:33 155648]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 07:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 07:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 07:00 455168]
"UAMAgent"="" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40 124656]
"Sxplog"="C:\SxpInst\sxpstub.exe" [2005-10-24 13:44 20480]
"SDJobCheck"="triggusr.exe" []
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [2007-09-05 10:02 49212]
"CA-AMAgent"="C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe" [2003-03-07 04:04 45056]
"VerifyStartMenu"="C:\Netmanag.97\NMGOINN.DLL" [1998-06-18 07:00 537600]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-25 09:32 286720]
"OdTray.exe"="C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-06-20 17:32 1028160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"PMA"="C:\Netmanag.97\PMALOAD.EXE" [1998-06-18 07:00 72128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"SB_NoDispScrSavPage"= 0 (0x0)
"DisableTaskMgr"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)
"SB_NoDispScrSavPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoToolbarCustomize"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 2007-11-09 05:44 122949 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109546190-1859003067-1489575960-18672\Scripts\Logon\0\0]
"Script"=\\nam.corp.ge.com\SysVol\nam.corp.ge.com\Policies\Scripts\WSUS_production.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109546190-1859003067-1489575960-89795\Scripts\Logon\0\0]
"Script"=\\nam.corp.ge.com\SysVol\nam.corp.ge.com\Policies\Scripts\WSUS_production.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5556:TCP"= 5556:TCP:SafeBoot

R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys [2005-05-17 17:12]
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2008-02-20 22:40]
R0 SBAlg;SBAlg;C:\WINDOWS\system32\drivers\SBAlg.sys [2007-09-05 10:02]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-09-05 10:02]
R1 SBFlop;SBFlop;C:\WINDOWS\system32\drivers\SBFlop.sys [2007-09-05 10:02]
R1 SbPrcCtl;SbPrcCtl;C:\WINDOWS\system32\drivers\SbPrcCtl.sys [2007-09-05 10:02]
R2 JuniperAccessService;Juniper Unified Network Service;C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2007-06-14 17:12]
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;C:\Program Files\SafeBoot\SBMGRNT.EXE [2007-09-05 10:02]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2006-06-07 15:03]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2003-10-23 14:55]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-10-23 14:55]
R3 jnprna;Juniper Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\jnprna.sys [2007-06-14 14:25]
R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\MakoNT.sys [2006-06-07 14:41]
R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-09-10 09:13]
R4 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-09-10 09:13]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-10-23 14:55]
S3 EacService;Juniper TNC Endpoint Assessment;C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [2007-06-20 18:06]
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2003-10-23 14:45]
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2004-07-09 12:47]
S3 odysseyIM4;Odyssey Network Driver Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2006-08-17 08:51]
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 18:34]
S4 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2005-02-17 19:05]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-04-07 13:14]
S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys [2003-02-24 09:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25a16bc0-383e-11db-a006-000bdbda9c73}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 04:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 21:41:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 21:41:40
ComboFix-quarantined-files.txt 2008-03-02 02:41:32
.
2008-02-21 14:29:01 --- E O F ---




Here is my Hijack this file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:43, on 2008-03-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DellTPad\HidFind.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DellTPad\Apntex.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\CA\SharedComponents\CAM\bin\caftf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://corp.home.ge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://corp.setpac.ge.com/pac.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cin01.proxy.corporate.ge.com:80;https=cin01.proxy.corporate.ge.com:80;ftp=c
in01.proxy.corporate.ge.com:80
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O1 - Hosts: 135.108.57.19 geect
O1 - Hosts: 135.108.57.19 geacqt
O1 - Hosts: 135.108.57.19 geecd
O1 - Hosts: 135.108.57.19 geacqd
O1 - Hosts: 135.108.57.19 newgetpct
O1 - Hosts: 135.108.57.179 geecors
O1 - Hosts: 135.108.57.179 gepayrollors
O1 - Hosts: 135.108.57.92 cvgge15
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: XBTB01629 - {8560380C-8653-4521-8262-7F6A4D3D4B0F} - C:\Program Files\Kintana Toolbar\kintana.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\system32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL,VerifyStartMenu
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - Global Startup: Bluetooth Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://corp.home.ge.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.ge.com (HKLM)
O15 - Trusted Zone: *.gebrandcentral.com (HKLM)
O15 - Trusted Zone: *.gedigitalmedia.com (HKLM)
O15 - Trusted Zone: *.gemediacentral.com (HKLM)
O15 - Trusted Zone: *.genewscenter.com (HKLM)
O15 - Trusted Zone: *.geolympiccentral.com (HKLM)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200319556015
O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://americascomm0...STJNILoader.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace...ronGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nam.corp.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = nam.corp.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nam.corp.ge.com
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 12036 bytes
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

C:\Program Files\Kintana Toolbar\kintana.dll
C:\WINDOWS\system32\drivers\LKDE0.tmp


Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

#5
hope9300

hope9300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the kintana file. This is a file that is used by my job. Everyone who has a computer has the kintana toolbar. But here is the info.

Antivirus Version Last Update Result
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.73 2008.03.02 -
Authentium 4.93.8 2008.03.01 -
Avast 4.7.1098.0 2008.03.02 -
AVG 7.5.0.516 2008.03.02 Adware Generic2.SST
BitDefender 7.2 2008.03.02 -
CAT-QuickHeal 9.50 2008.03.01 -
ClamAV 0.92.1 2008.03.02 -
DrWeb 4.44.0.09170 2008.03.02 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.03.02 Adware.Softomate
FileAdvisor 1 2008.03.02 -
Fortinet 3.14.0.0 2008.03.02 -
F-Prot 4.4.2.54 2008.03.02 W32/Adware.XOC
F-Secure 6.70.13260.0 2008.03.01 -
Ikarus T3.1.1.20 2008.03.02 not-a-virus:AdWare.Win32.Mostofate.ap
Kaspersky 7.0.0.125 2008.03.02 not-a-virus:AdWare.Win32.Mostofate.ap
McAfee 5242 2008.02.29 -
Microsoft 1.3301 2008.03.02 -
NOD32v2 2913 2008.03.01 -
Norman 5.80.02 2008.02.29 W32/Softomate.OJ
Panda 9.0.0.4 2008.03.02 -
Prevx1 V2 2008.03.02 Heuristic: Suspicious File With Bad Parent Associations
Rising 20.33.62.00 2008.03.02 -
Sophos 4.27.0 2008.03.02 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.03.02 -
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 AdWare.Win32.Mostofate.ap
VirusBuster 4.3.26:9 2008.03.02 -
Webwasher-Gateway 6.6.2 2008.03.02 -
Additional information
File size: 1216512 bytes
MD5: 14feab3b1b9083966fa60266d16a3f0a
SHA1: 57830fd8abf8565a98ec3a6291a77e747f1f5178
PEiD: -
Prevx info: http://info.prevx.co...C268C0094DED053


The second file

Antivirus Version Last Update Result
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.73 2008.03.02 -
Authentium 4.93.8 2008.03.01 -
Avast 4.7.1098.0 2008.03.02 -
AVG 7.5.0.516 2008.03.02 -
BitDefender 7.2 2008.03.02 -
CAT-QuickHeal 9.50 2008.03.01 -
ClamAV 0.92.1 2008.03.02 -
DrWeb 4.44.0.09170 2008.03.02 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.03.02 -
FileAdvisor 1 2008.03.02 -
Fortinet 3.14.0.0 2008.03.02 -
F-Prot 4.4.2.54 2008.03.02 -
F-Secure 6.70.13260.0 2008.03.01 -
Ikarus T3.1.1.20 2008.03.02 -
Kaspersky 7.0.0.125 2008.03.02 -
McAfee 5242 2008.02.29 -
Microsoft 1.3301 2008.03.02 -
NOD32v2 2913 2008.03.01 -
Norman 5.80.02 2008.02.29 -
Panda 9.0.0.4 2008.03.02 -
Prevx1 V2 2008.03.02 -
Rising 20.33.62.00 2008.03.02 -
Sophos 4.27.0 2008.03.02 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.03.02 -
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.03.02 -
Webwasher-Gateway 6.6.2 2008.03.02 Win32.Malware.gen!80 (suspicious)
Additional information
File size: 26155 bytes
MD5: a6d6a4e7798c6c0c25fab6f92eee42f7
SHA1: 88bacf799ed861752a4d7c7c98f94539da6731ea
PEiD: -


Thanks again
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts

Everyone who has a computer has the kintana toolbar

I have a computer and I don't have one.
Since you use for your job I will leave it.
But as you can see it is adware.
=======================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\drivers\LKD26A.tmp
C:\WINDOWS\system32\drivers\LKD265.tmp
C:\WINDOWS\system32\drivers\LKD18D.tmp
C:\WINDOWS\system32\drivers\LKD188.tmp
C:\WINDOWS\system32\drivers\LKD11E.tmp
C:\WINDOWS\system32\drivers\LKD118.tmp
C:\WINDOWS\system32\drivers\LKD82.tmp
C:\WINDOWS\system32\drivers\LKD383.tmp
C:\WINDOWS\system32\drivers\LKD37E.tmp
C:\WINDOWS\system32\drivers\LKD2F3.tmp
C:\WINDOWS\system32\drivers\LKD294.tmp
C:\WINDOWS\system32\drivers\LKD210.tmp
C:\WINDOWS\system32\drivers\LKD1B1.tmp
C:\WINDOWS\system32\drivers\LKD11F.tmp
C:\WINDOWS\system32\drivers\LKDE4.tmp
C:\WINDOWS\system32\drivers\LKD1DC.tmp
C:\WINDOWS\system32\drivers\LKD1D7.tmp
C:\WINDOWS\system32\drivers\LKD147.tmp
C:\WINDOWS\system32\drivers\LKDE7.tmp
C:\WINDOWS\system32\drivers\LKD97.tmp
C:\WINDOWS\system32\drivers\LKD87.tmp
C:\WINDOWS\system32\drivers\LKD48D.tmp
C:\WINDOWS\system32\drivers\LKD47F.tmp
C:\WINDOWS\system32\drivers\LKD31E.tmp
C:\WINDOWS\system32\drivers\LKD30E.tmp
C:\WINDOWS\system32\drivers\LKD1AC.tmp
C:\WINDOWS\system32\drivers\LKD19E.tmp
C:\WINDOWS\system32\drivers\LKDBF.tmp
C:\WINDOWS\system32\drivers\LKDB6.tmp
C:\WINDOWS\system32\drivers\LKD439.tmp
C:\WINDOWS\system32\drivers\LKD37C.tmp
C:\WINDOWS\system32\drivers\LKD340.tmp
C:\WINDOWS\system32\drivers\LKD2D7.tmp
C:\WINDOWS\system32\drivers\LKDF9.tmp
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
hope9300

hope9300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry Kahdah,

I should have said that everyone who works for my company has the kintana toolbar on their computers. I misspoke.

I will start this process now. Thanks

Hope
  • 0

#8
hope9300

hope9300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ComboFix 08-03-01.3 - 200013323 2008-03-02 16:41:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1415 [GMT -5:00]
Running from: D:\Documents and Settings\200013323\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\200013323\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\LKD118.tmp
C:\WINDOWS\system32\drivers\LKD11E.tmp
C:\WINDOWS\system32\drivers\LKD11F.tmp
C:\WINDOWS\system32\drivers\LKD147.tmp
C:\WINDOWS\system32\drivers\LKD188.tmp
C:\WINDOWS\system32\drivers\LKD18D.tmp
C:\WINDOWS\system32\drivers\LKD19E.tmp
C:\WINDOWS\system32\drivers\LKD1AC.tmp
C:\WINDOWS\system32\drivers\LKD1B1.tmp
C:\WINDOWS\system32\drivers\LKD1D7.tmp
C:\WINDOWS\system32\drivers\LKD1DC.tmp
C:\WINDOWS\system32\drivers\LKD210.tmp
C:\WINDOWS\system32\drivers\LKD265.tmp
C:\WINDOWS\system32\drivers\LKD26A.tmp
C:\WINDOWS\system32\drivers\LKD294.tmp
C:\WINDOWS\system32\drivers\LKD2D7.tmp
C:\WINDOWS\system32\drivers\LKD2F3.tmp
C:\WINDOWS\system32\drivers\LKD30E.tmp
C:\WINDOWS\system32\drivers\LKD31E.tmp
C:\WINDOWS\system32\drivers\LKD340.tmp
C:\WINDOWS\system32\drivers\LKD37C.tmp
C:\WINDOWS\system32\drivers\LKD37E.tmp
C:\WINDOWS\system32\drivers\LKD383.tmp
C:\WINDOWS\system32\drivers\LKD439.tmp
C:\WINDOWS\system32\drivers\LKD47F.tmp
C:\WINDOWS\system32\drivers\LKD48D.tmp
C:\WINDOWS\system32\drivers\LKD82.tmp
C:\WINDOWS\system32\drivers\LKD87.tmp
C:\WINDOWS\system32\drivers\LKD97.tmp
C:\WINDOWS\system32\drivers\LKDB6.tmp
C:\WINDOWS\system32\drivers\LKDBF.tmp
C:\WINDOWS\system32\drivers\LKDE4.tmp
C:\WINDOWS\system32\drivers\LKDE7.tmp
C:\WINDOWS\system32\drivers\LKDF9.tmp
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\winfrun32.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\drivers\LKD118.tmp
C:\WINDOWS\system32\drivers\LKD11E.tmp
C:\WINDOWS\system32\drivers\LKD11F.tmp
C:\WINDOWS\system32\drivers\LKD147.tmp
C:\WINDOWS\system32\drivers\LKD188.tmp
C:\WINDOWS\system32\drivers\LKD18D.tmp
C:\WINDOWS\system32\drivers\LKD19E.tmp
C:\WINDOWS\system32\drivers\LKD1AC.tmp
C:\WINDOWS\system32\drivers\LKD1B1.tmp
C:\WINDOWS\system32\drivers\LKD1D7.tmp
C:\WINDOWS\system32\drivers\LKD1DC.tmp
C:\WINDOWS\system32\drivers\LKD210.tmp
C:\WINDOWS\system32\drivers\LKD265.tmp
C:\WINDOWS\system32\drivers\LKD26A.tmp
C:\WINDOWS\system32\drivers\LKD294.tmp
C:\WINDOWS\system32\drivers\LKD2D7.tmp
C:\WINDOWS\system32\drivers\LKD2F3.tmp
C:\WINDOWS\system32\drivers\LKD30E.tmp
C:\WINDOWS\system32\drivers\LKD31E.tmp
C:\WINDOWS\system32\drivers\LKD340.tmp
C:\WINDOWS\system32\drivers\LKD37C.tmp
C:\WINDOWS\system32\drivers\LKD37E.tmp
C:\WINDOWS\system32\drivers\LKD383.tmp
C:\WINDOWS\system32\drivers\LKD439.tmp
C:\WINDOWS\system32\drivers\LKD47F.tmp
C:\WINDOWS\system32\drivers\LKD48D.tmp
C:\WINDOWS\system32\drivers\LKD82.tmp
C:\WINDOWS\system32\drivers\LKD87.tmp
C:\WINDOWS\system32\drivers\LKD97.tmp
C:\WINDOWS\system32\drivers\LKDB6.tmp
C:\WINDOWS\system32\drivers\LKDBF.tmp
C:\WINDOWS\system32\drivers\LKDE4.tmp
C:\WINDOWS\system32\drivers\LKDE7.tmp
C:\WINDOWS\system32\drivers\LKDF9.tmp
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.

2008-03-01 18:19 . 2008-03-01 18:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 17:58 . 2008-03-01 17:58 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-15 00:57 . 2008-02-15 17:47 <DIR> d-------- C:\CLIENTUS
2008-02-15 00:28 . 2008-02-15 00:51 <DIR> d-------- C:\CLIENTWS
2008-02-14 17:44 . 2008-02-14 17:44 26,155 --a------ C:\WINDOWS\system32\drivers\LKDE0.tmp
2008-02-13 10:30 . 2008-02-13 10:30 26,155 --a------ C:\WINDOWS\system32\drivers\LKD83.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 20:18 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-02 01:37 --------- d-----w C:\Program Files\Nortel Networks
2008-02-21 18:47 --------- d-----w D:\Documents and Settings\200013323\Application Data\Sametime
2008-02-21 03:40 30,267 ----a-w C:\WINDOWS\system32\drivers\safeboot.sys
2008-02-21 03:40 --------- d-----w C:\Program Files\SafeBoot
2008-02-16 13:53 --------- d-----w D:\Documents and Settings\200013323\Application Data\U3
2008-01-25 19:58 --------- d-----w D:\Documents and Settings\200013323\Application Data\Move Networks
2008-01-22 21:27 --------- d-----w C:\Program Files\MTBWIN
2008-01-18 14:46 --------- d-----w C:\Program Files\MSECache
2008-01-14 14:06 --------- d-----w C:\Program Files\Java
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 01:07 3,059,200 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
1999-06-17 22:12 652,332 ----a-w C:\WINDOWS\inf\DRVIDX.BIN
1999-06-17 22:12 195,530 ----a-w C:\WINDOWS\inf\DRVDATA.BIN
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8560380C-8653-4521-8262-7F6A4D3D4B0F}]
2007-05-17 15:53 1216512 --a------ C:\Program Files\Kintana Toolbar\kintana.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-16 18:50 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-16 18:50 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-16 18:50 138008]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 16:26 303104 C:\WINDOWS\stsystra.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 10:33 155648]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 07:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 07:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 07:00 455168]
"UAMAgent"="" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40 124656]
"Sxplog"="C:\SxpInst\sxpstub.exe" [2005-10-24 13:44 20480]
"SDJobCheck"="triggusr.exe" []
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [2007-09-05 10:02 49212]
"CA-AMAgent"="C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe" [2003-03-07 04:04 45056]
"VerifyStartMenu"="C:\Netmanag.97\NMGOINN.DLL" [1998-06-18 07:00 537600]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-25 09:32 286720]
"OdTray.exe"="C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-06-20 17:32 1028160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"PMA"="C:\Netmanag.97\PMALOAD.EXE" [1998-06-18 07:00 72128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"SB_NoDispScrSavPage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)
"SB_NoDispScrSavPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoToolbarCustomize"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 2007-11-09 05:44 122949 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109546190-1859003067-1489575960-18672\Scripts\Logon\0\0]
"Script"=\\nam.corp.ge.com\SysVol\nam.corp.ge.com\Policies\Scripts\WSUS_production.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109546190-1859003067-1489575960-89795\Scripts\Logon\0\0]
"Script"=\\nam.corp.ge.com\SysVol\nam.corp.ge.com\Policies\Scripts\WSUS_production.vbe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5556:TCP"= 5556:TCP:SafeBoot

R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys [2005-05-17 17:12]
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2008-02-20 22:40]
R0 SBAlg;SBAlg;C:\WINDOWS\system32\drivers\SBAlg.sys [2007-09-05 10:02]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-09-05 10:02]
R1 SBFlop;SBFlop;C:\WINDOWS\system32\drivers\SBFlop.sys [2007-09-05 10:02]
R1 SbPrcCtl;SbPrcCtl;C:\WINDOWS\system32\drivers\SbPrcCtl.sys [2007-09-05 10:02]
R2 JuniperAccessService;Juniper Unified Network Service;C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2007-06-14 17:12]
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;C:\Program Files\SafeBoot\SBMGRNT.EXE [2007-09-05 10:02]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2006-06-07 15:03]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2003-10-23 14:55]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-10-23 14:55]
R3 jnprna;Juniper Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\jnprna.sys [2007-06-14 14:25]
R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\MakoNT.sys [2006-06-07 14:41]
R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-09-10 09:13]
R4 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-09-10 09:13]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-10-23 14:55]
S3 EacService;Juniper TNC Endpoint Assessment;C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [2007-06-20 18:06]
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2003-10-23 14:45]
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2004-07-09 12:47]
S3 odysseyIM4;Odyssey Network Driver Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2006-08-17 08:51]
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 18:34]
S4 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2005-02-17 19:05]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-04-07 13:14]
S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys [2003-02-24 09:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25a16bc0-383e-11db-a006-000bdbda9c73}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 04:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 16:43:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

folder error: D:\Documents and Settings\200013323
**************************************************************************
.
Completion time: 2008-03-02 16:44:49
ComboFix-quarantined-files.txt 2008-03-02 21:43:56
ComboFix2.txt 2008-03-02 02:41:40
.
2008-02-21 14:29:01 --- E O F ---


And here is the Hijack this profile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:45, on 2008-03-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DellTPad\HidFind.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://corp.home.ge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://corp.setpac.ge.com/pac.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cin01.proxy.corporate.ge.com:80;https=cin01.proxy.corporate.ge.com:80;ftp=c
in01.proxy.corporate.ge.com:80
O1 - Hosts: 135.108.57.19 geect
O1 - Hosts: 135.108.57.19 geacqt
O1 - Hosts: 135.108.57.19 geecd
O1 - Hosts: 135.108.57.19 geacqd
O1 - Hosts: 135.108.57.19 newgetpct
O1 - Hosts: 135.108.57.179 geecors
O1 - Hosts: 135.108.57.179 gepayrollors
O1 - Hosts: 135.108.57.92 cvgge15
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: XBTB01629 - {8560380C-8653-4521-8262-7F6A4D3D4B0F} - C:\Program Files\Kintana Toolbar\kintana.dll
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\system32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL,VerifyStartMenu
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - Global Startup: Bluetooth Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://corp.home.ge.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.ge.com (HKLM)
O15 - Trusted Zone: *.gebrandcentral.com (HKLM)
O15 - Trusted Zone: *.gedigitalmedia.com (HKLM)
O15 - Trusted Zone: *.gemediacentral.com (HKLM)
O15 - Trusted Zone: *.genewscenter.com (HKLM)
O15 - Trusted Zone: *.geolympiccentral.com (HKLM)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200319556015
O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://americascomm0...STJNILoader.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace...ronGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nam.corp.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = nam.corp.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nam.corp.ge.com
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 10146 bytes


Thanks KahDah... Oh by the way the sceensaver is off. I will forever be indebted to you when this is fixed. I was afraid I would go to work tomorrow and this thing would corrupt the entire network, and then I will be fired. Thanks SO MUCH!
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#10
hope9300

hope9300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the log

Malwarebytes' Anti-Malware 1.05
Database version: 441

Scan type: Full Scan (C:\|D:\|F:\|H:\|I:\|J:\|N:\|O:\|)
Objects scanned: 86562
Time elapsed: 33 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Kintana Toolbar\kintana.dll (Adware.Mostofate) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\xbtb01629.ietoolbar (Adware.Mostofate) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (Adware.Mostofate) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8560380c-8653-4521-8262-7f6a4d3d4b0f} (Adware.Mostofate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8560380c-8653-4521-8262-7f6a4d3d4b0f} (Adware.Mostofate) -> No action taken.
HKEY_CLASSES_ROOT\xbtb01629.ietoolbar.1 (Adware.Mostofate) -> No action taken.
HKEY_CLASSES_ROOT\xbtb01629.xbtb01629 (Adware.Mostofate) -> No action taken.
HKEY_CLASSES_ROOT\xbtb01629.xbtb01629.3 (Adware.Mostofate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB01629.IEToolbar (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB01629.IEToolbar.1 (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB01629.XBTB01629 (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01629.XBTB01629Toolbar (Adware.Softomate) -> No action taken.
HKEY_CURRENT_USER\Software\XBTB01629 (Adware.Softomate) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (Adware.Mostofate) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Kintana Toolbar\kintana.dll (Adware.Mostofate) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\000070.exe.vir (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP190\A0049826.dll (Adware.SearchAid) -> No action taken.
C:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP190\A0049829.exe (Adware.ISM) -> No action taken.
C:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP190\A0049830.exe (Adware.ISM) -> No action taken.
C:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP190\A0049831.exe (Adware.SearchAid) -> No action taken.
C:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP190\A0049832.exe (Adware.SearchAid) -> No action taken.
C:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP190\A0049833.exe (Adware.SearchAid) -> No action taken.
C:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP191\A0049974.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP193\A0050163.exe (Trojan.Agent) -> No action taken.
D:\Deckard\System Scanner\backup\DOCUME~1\200013~1\LOCALS~1\Temp\ismtpa11.exe (Adware.ISM) -> No action taken.
D:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP190\A0049808.exe (Trojan.Agent) -> No action taken.
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You didn't clean the infections.

Please reun the program and when it finds all of the infections again make sure to uncheck this entry:
C:\Program Files\Kintana Toolbar\kintana.dll (Adware.Mostofate)

If you don't it will remove that program.


Also please let it disinfect what it finds.
==============================================
Then after that
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#12
hope9300

hope9300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the log:

2008-03-02 21:02
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/03/2008
Kaspersky Anti-Virus database records: 593820


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
H:\
I:\
J:\
N:\
O:\

Scan Statistics
Total number of scanned objects 57950
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 01:27:02

Infected Object Name Virus Name Last Action
C:\Program Files\CA\SharedComponents\CAM\logs\au000 Object is locked skipped

C:\Program Files\CA\SharedComponents\CAM\logs\dg003 Object is locked skipped

C:\Program Files\CA\SharedComponents\CAM\logs\tr000 Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\.udout Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\blackice-service.log Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\BOEP_Daemon.log Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\BOEP_Driver.log Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\desktop-rapapp.log Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEDD.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEDM.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEDS.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEED.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEEK.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEEL.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEM0K.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEM1K.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEM2K.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEM3K.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\IBE\IBEMD.ewm Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\issCommon.trace Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\msl_update.log Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\PolicyXlate.log Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\quarantine\IBEqm.qsi Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\rapapp.log Object is locked skipped

C:\Program Files\ISS\Proventia Desktop\SensorEventQueue.ADF Object is locked skipped

C:\Program Files\Kintana Toolbar\kintana.dll Infected: not-a-virus:AdWare.Win32.Mostofate.ap skipped

C:\Program Files\SafeBoot\SBGINA.LCK Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0358NAV~.TMP Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0777NAV~.TMP Object is locked skipped

C:\SAFEBOOT.FS Object is locked skipped

C:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP194\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB833987$\sxs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{F90E4D58-7020-44CC-A306-844089628F69}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\safeboot.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\Documents and Settings\200013323\Cookies\index.dat Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\History\History.IE5\MSHist012008030220080303\index.dat Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\A7S50ZEN\UserStatusChange[3].html Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\ITEBA9WT\main[1].swf Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\ITEBA9WT\top[1].swf Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\ITEBA9WT\UserStatusChange[1].html Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\ITEBA9WT\UserStatusChange[3].html Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\UN4LONIT\UserStatusChange[1].html Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\WRAHYJ4J\UserStatusChange[1].html Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\WRAHYJ4J\UserStatusChange[2].html Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\WRAHYJ4J\UserStatusChange[3].html Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\WRAHYJ4J\UserStatusChange[4].html Object is locked skipped

D:\Documents and Settings\200013323\Local Settings\Temporary Internet Files\Content.IE5\WRAHYJ4J\UserStatusChange[5].html Object is locked skipped

D:\Documents and Settings\200013323\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\200013323\ntuser.dat.LOG Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{EAD4940F-758F-4380-9224-E198F1022692}\RP194\change.log Object is locked skipped

Scan process completed.
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay please uninstall Malwarebytes' Anti-Malware
======================================
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    [list]
  • Posted Image

The above procedure will delete and do the following:

  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete\uninstall anything that we used that is left over.
=============================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#14
hope9300

hope9300

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks So Much KahDAH. I appreciate all of your help. I will make a donation to the site and make sure this site is the first referral if a friend is ever in need. :)
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP