Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

zumbus trojan


  • Please log in to reply

#1
jgill_2008

jgill_2008

    New Member

  • Member
  • Pip
  • 3 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:28 PM, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\trlrm\RMHSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\V0400Mon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\prunnet.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Altiris\AClient\AClntUsr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXInvSoln.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\aexnsinvcollector.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stlcop.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: Trlokom IE Toolbar - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - C:\Program Files\SpyWall\TrlIETool.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [FjStrtAp] c:\Program Files\Fujitsu\Utils\FjStrtAp.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [V0400Mon.exe] C:\WINDOWS\V0400Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [e480bd72] rundll32.exe "C:\WINDOWS\system32\xspmkwkb.dll",b
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.stlcop.edu
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1150481180941
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182445137998
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://axis-cor.stlc...sCamControl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15035/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stlcop.local
O17 - HKLM\Software\..\Telephony: DomainName = stlcop.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stlcop.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = stlcop.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: AMINIT.DLL dvlnoa.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: CounterSpy Enterprise Agent (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Trlokom Central Management Helper 1.4.1 0 (trlokom_rmhsvc) - Trlokom, Inc. - C:\WINDOWS\trlrm\RMHSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14005 bytes
  • 0

Advertisements


#2
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.


//discussed in chat//
  • 0

#3
jgill_2008

jgill_2008

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
ComboFix 08-12-30.02 - JGill 2008-12-31 13:43:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.590 [GMT -6:00]
Running from: c:\documents and settings\jgill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jgill\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\awtUnOfe.dll
c:\windows\system32\bkwkmpsx.ini
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaqpoxjcga.sys
c:\windows\system32\dvlnoa.dll
c:\windows\system32\evopqcgl.dll
c:\windows\system32\geBqNgff.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\QprAayay.ini
c:\windows\system32\QprAayay.ini2
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaftabrrul.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekaltoyutow.dll
c:\windows\system32\senekayvkvjgfu.dll
c:\windows\system32\xspmkwkb.dll
c:\windows\system32\yayaArpQ.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-31 12:37 . 2008-12-31 12:37 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 02:43 . 2008-12-31 02:43 1,024 --a------ c:\windows\system32\drivers\69DF7DA5-19CC-4B32-9AAE-1FE318EC2978.cxv
2008-12-31 02:42 . 2008-12-31 02:42 <DIR> d-------- c:\program files\STOPzilla!
2008-12-31 02:42 . 2008-12-31 02:42 <DIR> d-------- c:\program files\Common Files\iS3
2008-12-31 02:42 . 2008-12-31 13:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-31 02:23 . 2008-12-31 02:23 <DIR> d-------- c:\windows\trlrm
2008-12-31 02:23 . 2008-12-31 05:55 <DIR> d-------- c:\program files\SpyWall
2008-12-31 02:23 . 2008-12-31 02:23 186,880 --a------ c:\windows\system32\drivers\trlkprot.sys
2008-12-31 02:23 . 2008-12-31 02:34 36 -r-h----- c:\windows\sued.dat
2008-12-31 01:12 . 2008-12-31 01:12 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-31 01:12 . 2008-12-31 01:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 01:03 . 2008-12-31 01:05 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-31 01:03 . 2008-12-31 01:03 <DIR> d-------- c:\documents and settings\jgill\Application Data\PC Tools
2008-12-31 01:03 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-31 01:03 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-31 01:03 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-31 01:03 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-30 22:08 . 2008-12-30 22:08 72,192 --a------ c:\windows\system32\fccdaBqr.dll
2008-12-25 18:24 . 2008-12-25 18:24 <DIR> d-------- c:\documents and settings\jgill\Application Data\Red Kawa
2008-12-25 18:23 . 2008-12-25 18:23 <DIR> d-------- C:\OpenCandy
2008-12-13 16:55 . 2008-12-13 16:55 <DIR> d-------- c:\program files\iTunes
2008-12-13 16:55 . 2008-12-13 16:55 <DIR> d-------- c:\program files\iPod
2008-12-13 16:55 . 2008-12-13 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 16:51 . 2008-12-13 16:51 <DIR> d-------- c:\program files\QuickTime
2008-12-11 14:14 . 2008-12-11 14:14 <DIR> d-------- C:\1a18f42789a4915f82796e
2008-12-11 08:51 . 2008-10-23 06:36 286,720 -----c--- c:\windows\system32\dllcache\gdi32.dll
2008-11-19 12:20 . 2008-11-19 12:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-14 08:24 . 2008-11-14 08:24 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2008-11-14 08:23 . 2008-11-14 08:23 <DIR> d--h----- c:\windows\system32\CanonIJ Uninstaller Information
2008-11-14 08:23 . 2008-11-14 08:23 <DIR> d--h----- c:\program files\CanonBJ
2008-11-14 08:23 . 2007-03-23 16:30 1,400,832 --a------ c:\windows\system32\CNC210C.DLL
2008-11-14 08:23 . 2008-02-06 05:00 216,064 --a------ c:\windows\system32\CNMLM8S.DLL
2008-11-14 08:23 . 2007-03-19 10:16 200,704 --a------ c:\windows\system32\CNC210L.DLL
2008-11-14 08:23 . 2007-03-15 14:12 188,416 --a------ c:\windows\system32\CNC210O.DLL
2008-11-14 08:23 . 2007-03-23 16:29 98,304 --a------ c:\windows\system32\CNC210I.DLL
2008-11-13 21:17 . 2008-11-13 21:17 <DIR> d-------- c:\program files\Canon
2008-11-12 14:10 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 14:09 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-04 18:17 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-11-04 18:15 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-11-03 11:16 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys
2008-11-03 11:15 . 2008-11-03 11:15 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Sunbelt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 19:56 --------- d-----w c:\documents and settings\jgill\Application Data\Skype
2008-12-31 19:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-31 08:55 --------- d-----w c:\documents and settings\jgill\Application Data\skypePM
2008-12-26 00:24 --------- d-----w c:\program files\Red Kawa
2008-12-21 02:36 --------- d-----w c:\documents and settings\jgill\Application Data\DVD Flick
2008-12-16 17:35 2,401 ----a-w c:\windows\system32\drivers\AlKernel.sys
2008-12-14 18:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-13 22:55 --------- d-----w c:\program files\Common Files\Apple
2008-12-06 23:46 --------- d-----w c:\documents and settings\jgill\Application Data\U3
2008-11-19 18:20 --------- d-----w c:\program files\AIM6
2008-11-19 18:20 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-19 18:19 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-05 11:00 497 ----a-w c:\program files\Altir
2008-11-05 11:00 240 ----a-w c:\program files\Altira
2008-10-28 22:28 65,320 ----a-w c:\windows\system32\sbbd.exe
2008-10-25 13:18 1,846,912 ----a-w c:\windows\system32\win32k.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 02:10 41 ----a-w C:\AClient.dat
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-03-15 03:36 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-11-15 20:32 3,638 ----a-r c:\program files\Common Files\Altiris_Icon.ico
2008-04-09 05:10 88 --sha-r c:\windows\system32\739E81C5EA.sys
2008-04-09 05:11 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-03 19:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080320080804\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-06 21898024]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-13 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-13 271872]
"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2008-12-31 184320]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2007-03-27 143360]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2006-03-30 20480]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-09-09 81920]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2005-11-21 1847296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-14 185632]
"V0400Mon.exe"="c:\windows\V0400Mon.exe" [2007-08-23 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2008-10-28 664872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-16 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

c:\documents and settings\jgill\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"enablesecureuiapaths"= 0 (0x0)
"promptonsecuredesktop"= 0 (0x0)
"DefaultLogonDomain"= stlcop.local

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoPropertiesMyComputer"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-13 18:11 47104 c:\program files\Common Files\Microsoft Shared\INK\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 02:41 11776 c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-13 18:12 32256 c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AMINIT.DLL dvlnoa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.voxacm150"= vct32150.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=bootup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-23580\Scripts\Logon\0\0]
"Script"=Unified Logon rev6.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-23580\Scripts\Logon\0\1]
"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-30909\Scripts\Logon\0\0]
"Script"=Unified Logon rev6.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-30909\Scripts\Logon\0\1]
"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-4280\Scripts\Logoff\0\0]
"Script"=LogOff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-4280\Scripts\Logon\0\0]
"Script"=Unified Logon rev3.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-4280\Scripts\Logon\1\0]
"Script"=TechLogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-7611\Scripts\Logon\0\0]
"Script"=Unified Logon rev3.vbe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MoRUN.net\\Sticker Lite\\sticker.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\trlrm\\RMHSvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8834:TCP"= 8834:TCP:BitComet 8834 TCP
"8834:UDP"= 8834:UDP:BitComet 8834 UDP

R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2006-02-21 36352]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2005-09-23 28544]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-03-07 9216]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-11-04 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-11-03 202928]
R1 trlkprot;Trlokom Application scan driver;c:\windows\system32\Drivers\trlkprot.sys [2008-12-31 186880]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]
R2 SBAMSvc;CounterSpy Enterprise Agent;"c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe" [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-11-04 69168]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-29 24652]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\DRIVERS\FjBtnDrv.sys [2006-03-29 17920]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\DRIVERS\FUJ02E3.sys [2004-01-17 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\DRIVERS\hidpen.sys [2004-08-02 31104]
S3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\DRIVERS\MSTabBtn.sys [2003-10-09 9344]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-09-20 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s125mdfl.sys [2007-10-21 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s125mdm.sys [2007-10-21 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s125mgmt.sys [2007-10-21 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s125obex.sys [2007-10-21 98696]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys [2008-10-23 92464]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-31 356920]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\Drivers\V0400Afx.sys [2008-04-24 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\DRIVERS\V0400VFx.sys [2008-04-24 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\DRIVERS\V0400Vid.sys [2008-04-24 166720]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [2006-06-16 14208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2075e72b-8b45-11dd-b2d7-00130260747d}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{497c3b70-a2c6-11dc-b209-00130260747d}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83916990-17a2-11dd-b272-00130260747d}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94a82682-d59a-11dc-b22f-00130260747d}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-31 c:\windows\Tasks\xhaplsdi.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3270BEEE-61C1-4A62-B434-BF43ADA13473} - (no file)
BHO-{90E8BC1C-6CBD-4324-BB64-F27B41F9C34B} - (no file)
BHO-{9238bcd0-5ea0-4770-bbbf-d39bf1b5f58e} - c:\windows\system32\dvlnoa.dll
BHO-{B3F37293-2861-490C-9057-DF7FF30620E4} - (no file)
BHO-{E30FF91D-B3BC-47E4-B9AD-C80440825C9E} - c:\windows\system32\yayaArpQ.dll
Toolbar-SITEguard - (no file)
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-e480bd72 - c:\windows\system32\xspmkwkb.dll
HKLM-Run-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.stlcop.edu/
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\jgill\Application Data\Mozilla\Firefox\Profiles\8q8iqqug.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\jgill\Application Data\Mozilla\Firefox\Profiles\8q8iqqug.default\extensions\[email protected]\components\coolirisstub.dll
FF - plugin: c:\documents and settings\jgill\Application Data\Mozilla\Firefox\Profiles\8q8iqqug.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 13:55:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-1162508061-1999852495-692992123-23580
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-1162508061-1999852495-692992123-23580\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-1162508061-1999852495-692992123-23580\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-1162508061-1999852495-692992123-23580\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CC24401-FC12-72A2-87BF-BEDD778F83AB}*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-1162508061-1999852495-692992123-23580
@Allowed: (Full) (S-1-5-21-1162508061-1999852495-692992123-23580)
@Allowed: (Full) (S-1-5-21-1162508061-1999852495-692992123-23580)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"oaacddabkpnidfgeiekdnkihgmdkjo"=hex:64,61,61,65,64,6e,66,6a,00,80
"oamodfkgeammaipdnhmoolhndjhfpa"=hex:6b,61,62,65,66,6e,64,63,64,64,6f,70,66,6e,\
6c,62,61,61,61,6c,6c,6b,00,00
"naobnaoiojmdepnmdaehgajjdkjb"=hex:6a,61,61,65,65,6e,61,70,68,70,6a,70,6c,69,\
6e,6e,6c,66,68,63,00,fd

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{2851123E-5786-41BE-A3F1-A9B21E499EEB}]
@Owner=Administrators
@Denied: (A C D 1) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)
"DisplayIcon"="c:\\Program Files\\Common Files\\Altiris_Icon.ico,0"
"AuthorizedCDFPrefix"=""
"Comments"="This product contains Altiris Task Synchronization Agent"
"Contact"="customer support Department"
"DisplayVersion"="6.1.1030.0"
"HelpLink"=expand:"http://www.altiris.com"
"HelpTelephone"="1-801-226-8500"
"InstallDate"="20070621"
"InstallLocation"=""
"InstallSource"="c:\\WINDOWS\\TEMP\\apt4\\"
"ModifyPath"=expand:"MsiExec.exe /X{2851123E-5786-41BE-A3F1-A9B21E499EEB}"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Altiris Inc."
"Readme"=""
"Size"=""
"EstimatedSize"=dword:00000156
"UninstallString"=expand:"MsiExec.exe /X{2851123E-5786-41BE-A3F1-A9B21E499EEB}"
"URLInfoAbout"="http://www.altiris.com"
"URLUpdateInfo"=""
"VersionMajor"=dword:00000006
"VersionMinor"=dword:00000001
"WindowsInstaller"=dword:00000001
"Version"=dword:06010406
"Language"=dword:00000409
"DisplayName"="Altiris Task Synchronization Agent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{92F2A534-C3E4-4B18-BEBD-329F5E848C8B}]
@Owner=Administrators
@Denied: (A C D 1) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)
"DisplayVersion"="6.0.0.2386"
"UninstallString"="c:\\Program Files\\Altiris\\Altiris Agent\\AeXNSAgent.exe /uninstall"
"Publisher"="Altiris Inc."
"HelpLink"="http://www.altiris.com/support"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{9B25F628-D16E-4AC2-9FD8-88B98F5B8E89}]
@Owner=Administrator
@Denied: (A C D 1) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)
@SACL=
"UninstallString"="RunDll32 c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\engine\\6\\INTEL3~1\\Ctor.dll,LaunchSetup \"c:\\Program Files\\InstallShield Installation Information\\{9B25F628-D16E-4AC2-9FD8-88B98F5B8E89}\\Setup.exe\" -l0x9 "
"DisplayName"="Altiris Application Metering Agent"
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{9B25F628-D16E-4AC2-9FD8-88B98F5B8E89}\\setup.ilg"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{A0A1EB01-A6FD-423A-8480-364055A7C961}]
@Owner=Administrators
@Denied: (A C D 1) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)
"DisplayIcon"="c:\\Program Files\\Altiris\\Altiris Agent\\AeXSWDAppInv.exe,0"
"AuthorizedCDFPrefix"=""
"Comments"="This product contains Altiris Software Delivery Solution Agent"
"Contact"="customer support Department"
"DisplayVersion"="6.1.1016.0"
"HelpLink"=expand:"http://www.altiris.com"
"HelpTelephone"="1-801-226-8500"
"InstallDate"="20070621"
"InstallLocation"=""
"InstallSource"="c:\\WINDOWS\\TEMP\\apt3\\"
"ModifyPath"=expand:"MsiExec.exe /X{A0A1EB01-A6FD-423A-8480-364055A7C961}"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Altiris Inc."
"Readme"=""
"Size"=""
"EstimatedSize"=dword:0000037b
"UninstallString"=expand:"MsiExec.exe /X{A0A1EB01-A6FD-423A-8480-364055A7C961}"
"URLInfoAbout"="http://www.altiris.com"
"URLUpdateInfo"=""
"VersionMajor"=dword:00000006
"VersionMinor"=dword:00000001
"WindowsInstaller"=dword:00000001
"Version"=dword:060103f8
"Language"=dword:00000409
"DisplayName"="Altiris Software Delivery Solution Agent"

[HKEY_LOCAL_MACHINE\software\Sigmatel\GlobalState]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=Administrators
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\ComputerName]
@Owner=Administrators
@Denied: (A C D 2) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\ComputerName\$%&'()*+,-./0123$%&]
@Owner=S-1-5-21-1162508061-1999852495-692992123-23580

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\ComputerName\ComputerName]
@Owner=Administrators
"ComputerName"="S067060"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\Softex\OmniPass\ginastub.dll
c:\program files\Softex\OmniPass\ssplogon.dll
c:\program files\Softex\OmniPass\cryptodll.dll
c:\program files\Softex\OmniPass\storeng.dll
c:\program files\Softex\OmniPass\autheng.dll
c:\program files\Softex\OmniPass\userdata.dll
c:\program files\Softex\OmniPass\hdddrv.dll
c:\program files\Softex\OmniPass\ldapdrv.dll
c:\program files\Softex\OmniPass\cachedrv.dll
c:\program files\Softex\OmniPass\sftxtgp.dll
c:\program files\Softex\OmniPass\mstrpwd.dll
c:\program files\Softex\OmniPass\authntec.dll
c:\windows\system32\atsc63.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Softex\OmniPass\OmniServ.exe
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\windows\system32\scardsvr.exe
c:\program files\Altiris\AClient\ACLIENT.EXE
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CCSRVC.exe
c:\program files\Altiris\Carbon Copy\ShellKer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\windows\trlrm\RMHSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Microsoft Shared\INK\keyboardsurrogate.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\progra~1\Altiris\CARBON~1\Client.exe
c:\program files\Common Files\Microsoft Shared\INK\tcserver.exe
c:\program files\Fingerprint Sensor\ATSwpNav.exe
c:\program files\Fujitsu\Utils\FjDspMon.exe
c:\program files\Fujitsu\Utils\FjEvents.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\STOPzilla!\STOPzilla.exe
.
**************************************************************************
.
Completion time: 2008-12-31 14:03:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 20:02:34

Pre-Run: 13,061,054,464 bytes free
Post-Run: 13,111,775,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

515 --- E O F --- 2008-12-18 18:33:15
  • 0

#4
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#5
jgill_2008

jgill_2008

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Malwarebytes' Anti-Malware 1.31
Database version: 1586
Windows 5.1.2600 Service Pack 3

2008-12-31 15:40:43
mbam-log-2008-12-31 (15-40-43).txt

Scan type: Quick Scan
Objects scanned: 77873
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#6
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,

<jgill_2008> i continued scanning however now it says "Combofix has detected the presence of rootkit activity and needs to reboot the machince Kindly note down on paper, the name of each file. We may need it later

Did you write down any of the things combofix said it had found as per our conversatio in chat?
Could you please tell me what they were.

:)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP