If someone is able to help that would be great, I can't face a re-install as I have a 10 day old daughter at home and a frazzled wife. A few days ago I noticed a bubble saying 'Automatic Updates are disabled' but was unable to re-enable them, I wasn't too bothered at the time. Then later on all these pop ups started, I have Norton Anti-virus corporate edition V10 and windows defender on my PC as well as being behind a Netgear router (with NAT) and a Zone Alarm firewall.
I downloaded Malwarebytes, spyware doctor, Ad-aware and spybit but nothing would clean it.
Any help would be really appreciated. I've read a few posts in this forum and I am going to include logs from Hijack this, DSS and combofix.
Hijack THis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:38, on 22/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\Thoosje Sidebar 2.2\Thoosje Sidebar.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: {9dbd5337-e2d2-4bda-d454-4741eba996b0} - {0b699abe-1474-454d-adb4-2d2e7335dbd9} - C:\WINDOWS\system32\kjeipsnx.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\iixejoea.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [BMf3b5f465] Rundll32.exe "C:\WINDOWS\system32\eeweavce.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Thoosje Sidebar.lnk = C:\Program Files\Thoosje Sidebar 2.2\Thoosje Sidebar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208302233578
O17 - HKLM\System\CCS\Services\Tcpip\..\{939E8B02-AB7E-4874-B7CF-230AE7C82776}: NameServer = 192.168.1.1,212.20.226.130
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11348 bytes
=========================================================================
=========================================================================
ComboFix:
ComboFix 08-05-21.2 - Administrator 2008-05-22 21:04:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1276 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator.XPS1530\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMf3b5f465.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dcsolmpk.exe
C:\WINDOWS\system32\ggbpifuj.ini
C:\WINDOWS\system32\nwuuuyue.ini
C:\WINDOWS\system32\setup.ini
C:\WINDOWS\system32\vDMpYJlm.ini
C:\WINDOWS\system32\vDMpYJlm.ini2
.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.
2008-05-22 17:40 . 2008-05-22 17:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 15:26 . 2008-05-22 15:26 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-22 15:26 . 2008-05-22 15:26 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-22 09:00 . 2008-05-22 09:00 135,680 --a------ C:\WINDOWS\system32\kjeipsnx.dll
2008-05-22 09:00 . 2008-05-22 09:00 114,688 --a------ C:\WINDOWS\system32\euyuuuwn.dll
2008-05-22 08:57 . 2008-05-22 08:57 128,000 --a------ C:\WINDOWS\system32\eeweavce.dll
2008-05-22 08:57 . 2008-05-22 08:57 92,160 --a------ C:\WINDOWS\system32\iixejoea.dll
2008-05-22 08:01 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-22 06:16 . 2008-05-22 08:11 <DIR> d-------- C:\Documents and Settings\Administrator.XPS1530\.housecall6.6
2008-05-22 06:04 . 2008-05-22 06:04 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-05-22 06:04 . 2008-05-22 06:06 <DIR> d-------- C:\Documents and Settings\Administrator.XPS1530\SecurityScans
2008-05-21 18:28 . 2008-05-21 18:28 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-21 18:28 . 2008-05-21 18:28 <DIR> d-------- C:\Documents and Settings\Administrator.XPS1530\Application Data\Malwarebytes
2008-05-21 18:20 . 2008-05-21 18:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-05-21 18:10 . 2008-05-21 18:10 <DIR> d-------- C:\Documents and Settings\Administrator.XPS1530\Application Data\PC Tools
2008-05-21 18:10 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-21 18:10 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-21 18:10 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-21 18:10 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-03 18:28 . 2008-05-03 18:28 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Creative
2008-05-03 16:22 . 2008-05-03 16:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Creative Labs
2008-05-03 16:20 . 2008-05-03 16:20 <DIR> d-------- C:\Program Files\Common Files\Creative Labs Shared
2008-05-03 10:20 . 2008-05-03 10:31 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-27 09:39 . 2008-04-27 09:39 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-27 09:39 . 2008-04-27 09:39 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-26 23:06 . 2008-04-26 23:32 <DIR> d-------- C:\Program Files\MediaMonkey
2008-04-26 21:25 . 2008-04-26 21:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\CyberLink
2008-04-26 21:11 . 2008-05-03 23:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\NVIDIA
2008-04-26 20:58 . 2008-04-26 22:58 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-26 20:58 . 2006-10-04 15:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-26 20:58 . 2006-10-04 15:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-26 20:58 . 2006-10-04 15:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-26 20:57 . 2008-04-26 20:57 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-26 20:57 . 2008-04-26 20:57 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-23 19:00 . 2008-04-23 19:00 <DIR> d-------- C:\WINDOWS\Sun
2008-04-23 19:00 . 2008-04-23 19:00 <DIR> d-------- C:\Documents and Settings\Administrator.XPS1530\Application Data\Juniper Networks
2008-04-22 19:45 . 2008-05-21 20:08 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-22 00:01 . 2008-04-22 00:01 <DIR> d-------- C:\WINDOWS\system32\ALIEHCI
2008-04-22 00:01 . 2003-06-24 11:47 104,088 --------- C:\WINDOWS\system32\drivers\ALiEHCI.SYS
2008-04-22 00:01 . 2001-11-13 21:24 35,587 --------- C:\WINDOWS\system32\rmusb20.EXE
2008-04-22 00:01 . 2003-01-11 17:20 28,672 --------- C:\WINDOWS\system32\Unusb20.exe
2008-04-22 00:01 . 2003-06-24 11:54 17,835 --------- C:\WINDOWS\system32\drivers\ALiHUB.SYS
2008-04-22 00:01 . 2003-06-24 11:53 8,668 --------- C:\WINDOWS\system32\drivers\ALiGP.SYS
2008-04-22 00:01 . 2003-06-24 11:55 5,337 --------- C:\WINDOWS\system32\drivers\ALiRTHUB.SYS
2008-04-22 00:01 . 2003-06-24 13:35 635 --a------ C:\WINDOWS\system32\setup.iss
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 20:09 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\VMware
2008-05-22 20:09 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\VMware
2008-05-22 20:09 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\VMware
2008-05-22 20:06 8,835,104 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 20:06 106,676 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-22 20:06 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-22 19:58 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\Skype
2008-05-22 16:42 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-05-22 16:34 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-22 16:34 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\Azureus
2008-05-22 16:28 1,156,608 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-22 15:08 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\skypePM
2008-05-21 17:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 15:20 --------- d-----w C:\Program Files\Creative
2008-04-26 20:25 --------- d-----w C:\Program Files\CyberLink
2008-04-23 04:59 --------- d-----w C:\Program Files\Avanquest update
2008-04-21 19:30 --------- d-----w C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\VMware
2008-04-20 23:03 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2008-04-20 22:43 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\Talkback
2008-04-18 09:17 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\Symantec
2008-04-18 07:23 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-04-17 22:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Sony
2008-04-17 22:59 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\Sony
2008-04-17 22:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-04-17 22:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-04-17 22:52 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\Sony Setup
2008-04-17 22:01 --------- d-----w C:\Program Files\Norton Ghost
2008-04-17 22:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-17 18:52 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\AdobeUM
2008-04-17 08:50 --------- d-----w C:\Program Files\MagicISO
2008-04-17 08:26 21,361 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-04-17 08:26 21,361 ----a-w C:\WINDOWS\AegisP.sys
2008-04-17 08:26 --------- d-----w C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Intel
2008-04-17 08:26 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Intel
2008-04-17 08:26 --------- d-----w C:\Documents and Settings\Default User.WINDOWS\Application Data\Intel
2008-04-17 08:26 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\Intel
2008-04-17 08:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Intel
2008-04-16 23:29 --------- d-----w C:\Program Files\Winamp
2008-04-16 23:27 --------- d-----w C:\Program Files\Skype
2008-04-16 23:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2008-04-16 00:02 46,592 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-16 00:02 1,359,360 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-15 23:57 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\UIB
2008-04-15 23:56 --------- d-----w C:\Program Files\DIFX
2008-04-15 23:54 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-15 23:54 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2008-04-15 23:53 --------- d-----w C:\Program Files\DellTPad
2008-04-15 23:48 --------- d-----w C:\Program Files\Thoosje Sidebar 2.2
2008-04-15 23:47 --------- d-----w C:\Program Files\Tweak-XP Pro
2008-04-15 23:35 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-15 23:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-15 23:29 --------- d-----w C:\Program Files\DVD Shrink
2008-04-15 23:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-04-15 23:26 --------- d-----w C:\Program Files\Ahead
2008-04-15 23:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Sony Ericsson
2008-04-15 23:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\BVRP Software
2008-04-15 23:24 --------- d-----w C:\Program Files\Java
2008-04-15 23:24 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\InstallShield
2008-04-15 23:23 --------- d-----w C:\Program Files\CDex_150
2008-04-15 23:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-04-15 23:20 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\MailFrontier
2008-04-15 23:09 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-04-15 23:09 --------- d-----w C:\Documents and Settings\Administrator.XPS1530\Application Data\TMP
2008-04-15 23:08 --------- d-----w C:\Program Files\SigmaTel
2008-04-15 22:58 --------- d-----w C:\Program Files\Symantec
2008-04-14 15:59 --------- d-----w C:\Program Files\Sony
2008-04-13 22:39 --------- d-----w C:\Program Files\MyMp3Recorder
2008-04-13 21:46 --------- d-----w C:\Program Files\Steinberg
2008-04-13 21:44 --------- d-----w C:\Program Files\Syncrosoft
2008-04-13 19:37 --------- d-----w C:\Program Files\Freecorder
2008-04-13 19:07 --------- d-----w C:\Program Files\SuperMp3Recorder
2008-04-13 19:07 --------- d-----w C:\Program Files\Admiresoft
2008-04-06 09:44 --------- d-----w C:\Program Files\Sony Ericsson
2008-04-05 12:01 --------- d-----w C:\Program Files\Windows Live
2008-04-05 11:47 --------- d-----w C:\Program Files\VMware
2008-04-05 11:47 --------- d-----w C:\Program Files\Common Files\VMware
2008-04-04 14:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-03-30 23:26 --------- d-----w C:\Program Files\ANYCOM_Blue_USB_200_250_v5_1_0_4200
2008-03-27 21:32 --------- d-----w C:\Program Files\ScreenSaver.com
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 20:00 --------- d-----w C:\Program Files\Troytec.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 22:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 22:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2000-04-19 22:00 6,995 ----a-w C:\WINDOWS\inf\RAMDISK.SYS
2006-06-15 20:33 233,472 ----a-w C:\Program Files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 18:43 204,895 ----a-w C:\Program Files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 14:41 77,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 13:10 426,081 ----a-w C:\Program Files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 12:19 458,752 ----a-w C:\Program Files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 18:35 139,264 ----a-w C:\Program Files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 11:10 204,800 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 11:42 106,496 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 11:22 212,992 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 11:21 167,936 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoiceUnpacker.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0b699abe-1474-454d-adb4-2d2e7335dbd9}]
2008-05-22 09:00 135680 --a------ C:\WINDOWS\system32\kjeipsnx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
2008-05-22 08:57 92160 --a------ C:\WINDOWS\system32\iixejoea.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@={F2F31467-B1AC-4df0-AE79-FD5FA085E22B}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@={A3E208F7-0E3A-4182-A7A6-B169D5D691AA}
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Tracks Eraser Pro"="C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe" [2008-01-02 16:04 1343336]
"TransTask"="" []
"TransparentIcons"="" []
"Tweak-XP"="" []
"BlockAds"="" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-03 16:48 21898024]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2007-11-20 15:02 356352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 16:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 13:30 85184]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [2005-03-04 20:01 32881]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-07-02 14:29 159744]
"PSQLLauncher"="C:\Program Files\Fingerprint Reader Suite\launcher.exe" [2007-04-16 23:50 49168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-17 03:03 8495104]
"nwiz"="nwiz.exe" [2007-11-17 03:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-11-17 03:03 86016 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-17 03:03 81920]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 14:18 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 14:13 1101824]
"Norton Ghost 14.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 20:01 2245984]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 07:24 286720]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27 72240]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26 55856]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 15:26 303104 C:\WINDOWS\stsystra.exe]
"BMf3b5f465"="C:\WINDOWS\system32\eeweavce.dll" [2008-05-22 08:57 128000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
C:\Documents and Settings\Administrator.XPS1530\Start Menu\Programs\Startup\
Thoosje Sidebar.lnk - C:\Program Files\Thoosje Sidebar 2.2\Thoosje Sidebar.exe [2007-08-10 19:28:03 524288]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 2007-04-16 23:04 86528 C:\WINDOWS\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\WINDOWS\system32\dllhost.exe [2004-08-04 00:56]
R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-03-18 14:13]
R3 SymSnapService;SymSnapService;"C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe" [2007-12-20 17:13]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2007-04-16 23:44]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 20:10:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 21:08:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\eeweavce.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\DellTPad\hidfind.exe
C:\Program Files\DellTPad\ApntEx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-22 21:11:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-22 20:11:09
Pre-Run: 11,021,033,472 bytes free
Post-Run: 10,929,995,776 bytes free
296 --- E O F --- 2008-05-21 17:16:44
==================================================================
==================================================================